[Pdns-users] Does PowerDNS plan to implement Response Policy Zone ( RPZ )?

[Augie Schwer]

Are there any plans to build RPZ support into PowerDNS?

I googled around, and didn't see any discussion of RPZ outside of Bind, so
I thought I'd ask. :)


-- 
Augie Schwer-au...@schwer.us-http://schwer.us
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Dynamically load auth-zones into the PowerDNS Recursor.

[Augie Schwer]

Yes, rec_control reload-zones looks like it will work, thanks Bert!  --Augie

On Tue, Jun 5, 2012 at 10:21 AM, bert hubert  wrote:
> pdns_control reload-zones ?
>
> Supposed to do what you want ;-)
>
>
> On Jun 5, 2012, at 7:20 PM, Augie Schwer wrote:
>
>> Is there a way to load auth-zones into the PowerDNS recursor without
>> modifying the configuration file and restarting the daemon every time
>> I want to add a new domain to the list?
>>
>> Ideally I would like to add domains the the auth-zones list without
>> the operation being service impacting. Any ideas?
>>
>>
>> --
>> Augie Schwer    -    au...@schwer.us    -    http://schwer.us
>> ___
>> Pdns-users mailing list
>> Pdns-users@mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
>



-- 
Augie Schwer    -    au...@schwer.us    -    http://schwer.us
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Dynamically load auth-zones into the PowerDNS Recursor.

[Augie Schwer]

Is there a way to load auth-zones into the PowerDNS recursor without
modifying the configuration file and restarting the daemon every time
I want to add a new domain to the list?

Ideally I would like to add domains the the auth-zones list without
the operation being service impacting. Any ideas?


-- 
Augie Schwer    -    au...@schwer.us    -    http://schwer.us
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] dnssec in pdns-recursor

[Augie Schwer]

On Fri, Mar 2, 2012 at 1:26 AM, bert hubert  wrote:
> 3.1 auth will come first. So it is no longer true. After 3.1 auth we will do
> 3.4 recursor first, which will not come with DNSSEC yet, but does have
> important improvements.
> DNSSEC will happen after that. Immediately. ;-)

Well here are two future feature request for that DNSSEC enabled pdns-recursor:

* Ability to exclude a particular domain from DNSSEC validation; for
example if a popular site ( say nasa.gov ) updates their keys
incorrectly so that their domain fails validation, you contact their
admins. and with a high level of confidence you determine this is a
configuration mistake and not a security breach, you can then exclude
them from DNSSEC validation so your customers can access their site
while they fix their error.

* Ability to log DNSSEC validation failures in domains, so that you
can proactively be aware of situations like the above scenario.


-- 
Augie Schwer    -    au...@schwer.us    -    http://schwer.us
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] In lieu of a DNSSEC pdns-recursor what are folks using?# svn diff dt_tosrs.php Index: dt_tosrs.php =================================================================== --- dt_tosrs.php (re

[Augie Schwer]

In lieu of a DNSSEC enabled pdns-recursor what are folks using?

Any suggestions?


-- 
Augie Schwer    -    au...@schwer.us    -    http://schwer.us
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] dnssec in pdns-recursor

[Augie Schwer]

On Fri, May 20, 2011 at 11:52 PM, bert hubert  wrote:
> On Fri, May 20, 2011 at 03:31:35PM -0700, Alfred B. M. Cordero wrote:
>> Does anyone know if the recursor can use dnssec? I don't find
>> any information on that.
> not yet, but this will come immediately after the release of 3.0
> authoritative server.

An old thread, but with the recent release of the 3.0 version of the
auth. server I wondered if the above statement is still true.


-- 
Augie Schwer    -    au...@schwer.us    -    http://schwer.us
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Feature Request : Make "rec_control wipe-cache" clear the packet cache.

[Augie Schwer]

On Wed, Feb 8, 2012 at 6:19 AM, Peter van Dijk
 wrote:
> On Feb 8, 2012, at 1:47 , Augie Schwer wrote:
>> It would be great if "rec_control wipe-cache" cleared the packet cache too:
>> http://wiki.powerdns.com/trac/ticket/282
> This will certainly happen before the release of 3.1.

Peter, I was talking about the PowerDNS recursive server, not the
authoritative server -- I'm not sure if the line above is a typo, or a
mis-communication  on mypart.


-- 
Augie Schwer    -    au...@schwer.us    -    http://schwer.us
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Feature Request : Make "rec_control wipe-cache" clear the packet cache.

[Augie Schwer]

It would be great if "rec_control wipe-cache" cleared the packet cache too:

http://wiki.powerdns.com/trac/ticket/282


-- 
Augie Schwer    -    au...@schwer.us    -    http://schwer.us
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS Security Advisory 2012-01: Denial of Service vulnerability in most versions of the PowerDNS Authoritative Server

[Augie Schwer]

On Tue, Jan 10, 2012 at 6:01 AM, bert hubert  wrote:
> To solve this issue, we recommend upgrading to the latest packages available
> for your system. Tarballs and new static builds (32/64bit, RPM/DEB) of 
> 2.9.22.5
> and 3.0.1 have been uploaded to our download site. Kees Monshouwer has 
> provided
> updated CentOS/RHEL packages in his repository. Debian, Fedora and SuSE should
> have packages available shortly after this announcement.

Bert, I do not see a 2.9.22.5 tar-ball on
http://downloads.powerdns.com/releases ; will there be one soon?


-- 
Augie Schwer    -    au...@schwer.us    -    http://schwer.us
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Limit on TCP querys.

[Augie Schwer]

t captured the problem, it is
> just the single tcpstream. If more of that pcap is needed, let me know.
>
> ftp://ftp.sonic.net/pub/users/gkeller/dns/c.ns.sr.pcap
>
>
>>
>> You really should check the existing TCP connections when the timeouts
>> start. Probably you should also check for TCP connections waiting to be
>> torn down (TIME_WAIT). There also might be issues if connection tracking
>> is enabled and netfilter runs out of memory. Is there some firewall/NAT
>> between the client and the server?
>>
>> What does tcp_timeout really mean? Is the timeout triggered when waiting
>> for the DNS response or even before during establishment of the TCP
>> connection?
>>
>> regards
>> klaus
>>
>>
>> regards
>> Klaus
>>
>
>
> --
> Grant Keller
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users



-- 
Augie Schwer    -    au...@schwer.us    -    http://schwer.us
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Pdns Authoritative + Recursor

[Augie Schwer]

What doesn't work? Are both the auth. and recursive PowerDNS servers running?

--Augie

On Wed, Dec 7, 2011 at 6:36 AM, IRCHeaven Technical Support
 wrote:
> Dear Users,
>
>
>
> I have on this moment running Pdns Authoritative server + Recursor but this
> combination don’t work.
> I have read the docs on powerdns.com but I don’t get this combination to
> work.
>
> My question is do is miss something or do I something wrong.
>
> PDNS.conf
>
> allow-recursion=My local and network ranges
> do-ipv6-additional-processing=yes
> local-address=my local and external ipv4
> local-ipv6=external IPv6 ip
>
> local-port=53
>
> recursor=127.0.0.1:5300
>
>
>
> my recursor.conf
>
> -additional-processing=on
>
> allow-from=My local and network ranges
>
> local-address=my local and external IPv4 and external IPv6
>
> local-port=5300
>
> query-local-address6=My external IPv6 address
>
>
>
>
>
>
> Best Regards,
>
>
>
>
>
> Patrick  |  Hostmaster, Sysadmin  |  IRCHeaven  | t...@ircheaven.net |
>
>
> “The information in this e-mail is meant for the exclusive use of the
> addressee and may contain confidential information. No part of this
> information may be made public, copied, spread, or used in other way, by
> anyone apart from the addressee. If this mail should reach you by accident,
> inform the sender and remove the mail from your system. The contents of the
> e-mail may be wrong or incomplete. No rights can be derived from the
> contents of the e-mail."
>
>
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>



-- 
Augie Schwer    -    au...@schwer.us    -    http://schwer.us
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS in an ISP environment

[Augie Schwer]

We at Sonic.net have been running PowerDNS authoritative server and
recursor since 2007 over some 12k+ domains.

Bert and the PowerDNS community have always been very responsive to
questions and assistance.

Before we migrated we captured and replayed some traffic from our then
production BIND name servers to a test instance of PowerDNS, this gave
us the data and confidence to move forward.

PowerDNS used to come with some tools ( namely dnsreplay ), I'm not
sure how available those tools are anymore:

http://doc.powerdns.com/analysis.html

And apparently I wrote something too:

http://www.schwer.us/journal/2006/11/09/replay-dns-traffic-dnsreplaypl/

Of course that just tells you if the name server answered at all, you
would really want to know that it replied with the answer you were
expecting.

I hope that helps.

--Augie

On Tue, Aug 16, 2011 at 12:38 AM, Chris Russell
 wrote:
> Hi All,
>
>
>
> Quick question – is anyone on the list using PDNS in an ISP environment,
> especially for auth services ?
>
>
>
> Have prepped PDNS to replace our Bind instances however management have
> raised concerns over moving away from the “industry standard”, so have asked
> for more justification on the change in software.  Already have some ideas
> but some “real world” use cases would really be the clincher.
>
>
>
> Have spotted a new names on a couple of things published by Bert, and those
> of PlusNET but fpdns (yes, a little out of date signatures I acknowledge)
> seem to suggest no match (could be pdns 3)  but mostly Bind. ie:
>
>
>
> [root@ns1 ~]# fpdns -D plus.net
>
> fingerprint (plus.net, 195.166.128.16): ISC BIND 9.2.3rc1 -- 9.4.0a4
>
> fingerprint (plus.net, 195.166.128.17): ISC BIND 9.2.3rc1 -- 9.4.0a4
>
>
>
> [root@ns1 ~]# fpdns -D register.com
>
> fingerprint (register.com, 216.21.227.12): ISC BIND 9.2.3rc1 -- 9.4.0a4
>
> fingerprint (register.com, 216.21.227.11): ISC BIND 9.2.3rc1 -- 9.4.0a4
>
> fingerprint (register.com, 216.21.230.12): ISC BIND 9.2.3rc1 -- 9.4.0a4
>
>
>
> [root@ns1 ~]# fpdns -D .tk
>
> fingerprint (.tk, 202.125.44.173): ISC BIND 9.2.3rc1 -- 9.4.0a4
>
> fingerprint (.tk, 207.36.228.217): ISC BIND 9.2.3rc1 -- 9.4.0a4
>
> fingerprint (.tk, 217.199.176.121): ISC BIND 9.2.3rc1 -- 9.4.0a4
>
>
>
> [root@ns1 ~]# fpdns -D .mn
>
> fingerprint (.mn, 199.254.62.1): ISC BIND 9.2.3rc1 -- 9.4.0a4
>
> fingerprint (.mn, 199.249.116.1): No match found
>
> fingerprint (.mn, 202.72.241.5): ISC BIND 9.2.3rc1 -- 9.4.0a4
>
> fingerprint (.mn, 202.131.0.10): ISC BIND 9.2.3rc1 -- 9.4.0a4
>
>
>
> Have also done a few scans on some of the top hosts in the UK ISPA, some
> PDNS but mostly myDNS and/or bind.
>
>
>
> This isn’t to get into one server is better than another or individual
> choices, I like PDNS,  more just looking for some use cases so I can get
> this over the line J
>
>
>
> Cheers
>
>
>
> Chris
>
>
>
> 
> Knowledge I.T.
> ‘Unifying Business Technology’
> www.knowledgeit.co.uk
>
> 
> Knowledge Limited, Company Registration: 1554385
> Registered Office: New Century House, Crowther Road, Washington, Tyne &
> Wear. NE38 0AQ
> Leeds Office: Viscount Court, Leeds Road, Rothwell, Leeds. LS26 0GR
>
> Tel: 0845 142 0020. Fax: 0845 142 0021
>
> E-Mail Disclaimer: This e-mail message is intended to be received only by
> persons entitled to receive the confidential information it may contain.
> E-mail messages to clients of Knowledge IT may contain information that is
> confidential and legally privileged. Please do not read, copy, forward, or
> store this message unless you are an intended recipient of it. If you have
> received this message in error, please forward it to the sender and delete
> it completely from your computer system.
>
> Please consider the environment before printing this email.
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>



-- 
Augie Schwer    -    au...@schwer.us    -    http://schwer.us
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Slow TCP response on authoritative server 2.9.22.

[Augie Schwer]

Hey folks!

I could use some help tracking down a problem I have with one of our
mixed use ( authoritative + recursive ) PowerDNS 2.9.22 name servers.

The server responds to TCP queries, but in the pcaps I have can take
12 to 17 seconds to do so.

I can trigger it with the following from my workstation:

while [ 1 ]; do dig schwer.us +recurse +tcp +short +time=1 +retry=1
@c.ns.sr.sonic.net; date; sleep 1; done;

Perhaps we're hitting some maximum setting, or some internal
throttling? Any help is appreciated, two partial pcaps are attached,
one from my workstation ( augnix ), and one from the server.

A compressed pdns.conf follows:

[/root/augie]_(r...@c.ns.sr)_
# grep -v "#" /etc/powerdns/pdns.conf | perl -pe 's/^\s$//'
cache-ttl=300
disable-axfr=yes
launch=gmysql
gmysql-socket=/var/lib/mysql/mysql.sock
gmysql-user=root
gmysql-dbname=pdns
local-address=64.142.56.28,208.201.224.33,208.201.224.11,127.0.0.1,75.101.19.192,75.101.19.193,75.101.19.194,75.101.19.195,75.101.19.196,75.101.19.197,75.101.19.198,75.101.19.199,75.101.19.200,75.101.19.201,75.101.19.202,75.101.19.203,75.101.19.204,75.101.19.205,75.101.19.206,75.101.19.207,75.101.19.208,75.101.19.209,75.101.19.210,75.101.19.211,75.101.19.212,75.101.19.213,75.101.19.214,75.101.19.215,75.101.19.216,75.101.19.217,75.101.19.218,75.101.19.219,75.101.19.220,75.101.19.221,75.101.19.222,75.101.19.223,75.101.19.224,75.101.19.225,75.101.19.226,75.101.19.227,75.101.19.228,75.101.19.229,75.101.19.230,75.101.19.231,75.101.19.232,75.101.19.233,75.101.19.234,75.101.19.235,75.101.19.236,75.101.19.237,75.101.19.238,75.101.19.239,75.101.19.240,75.101.19.241,75.101.19.242,75.101.19.243,75.101.19.244,75.101.19.245,75.101.19.246,75.101.19.247,75.101.19.248,75.101.19.249,75.101.19.250,75.101.19.251,75.101.19.252,75.101.19.253,75.101.19.254
local-port=53
logging-facility=0
max-tcp-connections=1000
negquery-cache-ttl=600
out-of-zone-additional-processing=yes
query-cache-ttl=300
recursive-cache-ttl=300
recursor=127.0.0.1:5300
send-root-referral=no
setgid=pdns
setuid=pdns
webserver=yes
webserver-address=64.142.56.28
webserver-port=8081
version-string=powerdns


-- 
Augie Schwer    -    au...@schwer.us    -    http://schwer.us


augnix-part.pcap
Description: Binary data


c-ns-sr-part.pcap
Description: Binary data
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor DNS Cache Question

[Augie Schwer]

They are answering the same now, in the future you can use
"rec_control wipe-cache sawtoothos.com":

http://doc.powerdns.com/rec-control.html

--Augie



On Tue, Jan 4, 2011 at 12:59 PM, Josh Barron  wrote:
> Hello,
>
>
>
> I have an interesting issue, that hopefully someone can help me resolve.
>
>
>
> I have 2 DNS servers running PDNS and PDNS-Recursor.  Both are slaved to a
> single master server (doesn’t run recursor) using MySQL as a backend.
>
> When I query a given domain (neither of these servers are authoritative for
> the domain in question) from NS1 I receive a different response than when I
> query the domain from NS2.  Example below.
>
> Can anyone assist?  I’m not sure how to purge the cache.  I attempted
> “pdns_control purge,” it didn’t have any affect.  The record cache on
> 216.222.1.2 is the wrong one.  Thanks for your help.
>
>
>
>
>
> [r...@dns01 user]# dig @216.222.1.3 ns2.sawtoothos.com
>
>
>
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @216.222.1.3
> ns2.sawtoothos.com
>
>
>
> ;; QUESTION SECTION:
>
> ;ns2.sawtoothos.com.    IN  A
>
>
>
> ;; ANSWER SECTION:
>
> ns2.sawtoothos.com. 36792   IN  A   216.222.54.245
>
>
>
> ;; Query time: 2 msec
>
> ;; SERVER: 216.222.1.3#53(216.222.1.3)
>
> ;; WHEN: Tue Jan  4 13:45:32 2011
>
> ;; MSG SIZE  rcvd: 52
>
>
>
> [r...@dns01 user]# dig @216.222.1.2 ns2.sawtoothos.com
>
>
>
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> @216.222.1.2
> ns2.sawtoothos.com
>
>
>
> ;; QUESTION SECTION:
>
> ;ns2.sawtoothos.com.    IN  A
>
>
>
> ;; ANSWER SECTION:
>
> ns2.sawtoothos.com. 118415  IN  A   216.222.54.249
>
>
>
> ;; Query time: 2 msec
>
> ;; SERVER: 216.222.1.2#53(216.222.1.2)
>
> ;; WHEN: Tue Jan  4 13:45:40 2011
>
> ;; MSG SIZE  rcvd: 52
>
>
>
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>



-- 
Augie Schwer    -    au...@schwer.us    -    http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Perl powerDNS API

[Augie Schwer]

Fredj,

This may be what you are looking for:

http://search.cpan.org/~augie/PowerDNS-Backend-MySQL-0.09/lib/PowerDNS/Backend/MySQL.pm

--Augie

On Fri, Jun 25, 2010 at 2:38 AM, fredj toukebri wrote:

> Hi all,
>
> i want to manage our DNS plateform (PDNS servers) through external
> application. so that i need web services or API to interact dns with our
> application:
>
> Is somebody working on this already.
>
> Regards,
>
> Fredj Toukebri
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>


-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS returns a malformed response when queried for a TXT record larger than 257 characters.

[Augie Schwer]

Hey Jullan,

Thank you for the reply -- my problem isn't how to compose a
multi-part SPF message inside a TXT record.

The problem I see is how PowerDNS (mis-)behaves when trying to serve a
non-compliant record.

PowerDNS returns NOERROR for the status and then returns a malformed message.

I understand the argument of "bad data in, bad data out"; I would
rather see PowerDNS not return bad data though.

--Augie

On Wed, Mar 24, 2010 at 6:14 PM, Julian Mehnle  wrote:
> Augie Schwer wrote:
>
>> PowerDNS returns a malformed response when queried for a TXT record
>> larger than 257 characters.
>>
>> [...]
>>
>> PowerDNS returns NOERROR and returns as much data as it can which ends
>> up creating the corrupt packet.
>>
>> Admittedly one shouldn't put bad data in (the above record is not RFC
>> compliant); I was hoping PowerDNS would handle the response better --
>> any of the response codes could fit and certainly not return a
>> malformed packet; I'd rather see an empty packet or maybe a truncated
>> RDATA and a NOERROR return code.
>
> The problem is that while a TXT record can contain multiple "strings" (the
> parts you have to enclose in double quotes in TXT records in both BIND
> and PowerDNS), each string can only be 256 bytes long at maximum by design
> -- one length octet plus 255 bytes of text (RFC 1035).  If you want to
> have a longer TXT record, you have to split it into several strings, like
> so:
>
>  "v=spf1 ip4:209.204.164.194 a mx mx:gordonmedical.com,
>   mx:mailin-02.mx.sonic.net,mx:g.mx.sonic.net, mx:mailin-01.mx.sonic.net,
>   mx:e.mx.sonic.net mx:a.mx.sonic.net, mx:c.mx.sonic.net,
>   mx:d.mx.sonic.net, mx:h.mx.sonic.net, mx:f.mx.sonic.net, mx:and "
>  "mx:b.mx."
>
> leaving a space between strings like so: "string1" "string2".  The SPF
> spec states that multiple strings will be concatenated seamlessly, so
> you'd probably have to include another space *in* the strings, either at
> the end of "string1 " or at the start of " string2".
>
> Note that this is different from splitting the record into several
> *records* (opposed to several strings in a single record).  This doesn't
> work with SPF since ordering among records is undefined by DNS and SPF
> wouldn't know how to concatenate them correctly.
>
> Of course you could just remove the erroneous commas and fix up the SPF
> record to get below the 256 characters limit in this particular case.
>
> -Julian
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>



-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS returns a malformed response when queried for a TXT record larger than 257 characters.

[Augie Schwer]

PowerDNS returns a malformed response when queried for a TXT record
larger than 257 characters.

dig +short txt 258txt.schwer.us @a.auth-ns.sonic.net
;; Warning: Message parser reports malformed message packet.

PowerDNS Authoritative version 2.9.22

Record in the DB looks like this :

258txt.schwer.us | TXT  | "v=spf1 ip4:209.204.164.194 a mx
mx:gordonmedical.com, mx:mailin-02.mx.sonic.net, mx:g.mx.sonic.net,
mx:mailin-01.mx.sonic.net, mx:e.mx.sonic.net, mx:a.mx.sonic.net,
mx:c.mx.sonic.net, mx:d.mx.sonic.net, mx:h.mx.sonic.net,
mx:f.mx.sonic.net, mx:and mx:b.mx."

PowerDNS returns NOERROR and returns as much data as it can which ends
up creating the corrupt packet.

Admittedly one shouldn't put bad data in (the above record is not RFC
compliant); I was hoping PowerDNS would handle the response better --
any of the response codes could fit and certainly not return a
malformed packet; I'd rather see an empty packet or maybe a truncated
RDATA and a NOERROR return code.

Thoughts?


-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Multipart TXT records

[Augie Schwer]

Just wanted to confirm that this is spot on -- I ran into this same
thing a few weeks back and had to do the same head scratching, RFC
look-up, google, etc.

--Augie

On Mon, Mar 1, 2010 at 11:25 AM, Julian Mehnle  wrote:
> Leen Besselink wrote:
>
>> You can also see that here:
>>
>> http://doc.powerdns.com/changelog.html
>>
>> I'm unsure about what it does mean though.
>>
>> My first thought would be that it's code to split large TXT-records
>> over different TXT-records.
>>
>> Or just that multi TXT-records didn't work at all, a bug, as mentioned
>> in the log.
>
> I think pre-2.9.21, multi-"part" TXT records didn't work at all.
>
> Actually, RFC 1035 defines a TXT RR to be composed of "One or more
> s" (not "parts", and a  as:
>
>    "a single length octet followed by that number of characters.
>     is treated as binary information, and can be up
>    to 256 characters in length (including the length octet)".
>
> Thus the rationale for having more than one (character) strings in a
> single TXT RR is to build a TXT RR that is longer than 255 characters.
>
> The way TXT RRs work in the PowerDNS authoritative server is that each of
> a TXT RR's strings must be enclosed in double quotes, even if the TXT RR
> consists of only a single string.
>
> E.g.:
>
>  "foo bar quux"  (single string)
>
>  "foo " "bar " "quux"  (three strings)
>
> Those values still need to be quoted when specified in an SQL command.
> E.g.:
>
>  INSERT INTO dns_records (name, rrtype, content) VALUES (
>    'txt.example.com', 'TXT', '"foo bar quux")
>
>  INSERT INTO dns_records (name, rrtype, content) VALUES (
>    'txt.example.com', 'TXT', '"foo " "bar " "quux"')
>
> -Julian
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>



-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] reverse dns creation

[Augie Schwer]

Here's an example from a production DB :

mysql> select * from domains where name like '%.in-addr.arpa' limit 1;
+---+--++++-+-+-+
| id| name | master | last_check | type   |
notified_serial | account | change_date |
+---+--++++-+-+-+
| 17168 | 0.0.127.IN-ADDR.ARPA || 1194994265 | NATIVE |
NULL | NULL| -00-00 00:00:00 |
+---+--++++-+-+-+
1 row in set (0.00 sec)

mysql> select * from records where domain_id = 17168;
++---++--+---++--+-+
| id | domain_id | name   | type | content
  | ttl|
prio | change_date |
++---++--+---++--+-+
| 1621130347 | 17168 | 0.0.127.in-addr.arpa   | SOA  |
ns1.sonic.net. hostmaster.sonic.net. 2003061002 3600 300 1209600 3600
| 259200 |0 | 2009-09-10 14:21:40 |
| 1621130348 | 17168 | 0.0.127.in-addr.arpa   | NS   |
a.auth-ns.sonic.net
| 259200 |0 | 2009-09-10 14:21:40 |
| 1621130349 | 17168 | 0.0.127.in-addr.arpa   | NS   |
b.auth-ns.sonic.net
| 259200 |0 | 2009-09-10 14:21:40 |
| 1621130350 | 17168 | 1.0.0.127.in-addr.arpa | PTR  | localhost.
  | 259200 |
 0 | 2009-09-10 14:21:40 |
| 8498683330 | 17168 | 0.0.127.in-addr.arpa   | NS   |
c.auth-ns.sonic.net
| 259200 |0 | 2009-09-10 14:21:40 |
++---++--+---++--+-+
5 rows in set (0.00 sec)

--Augie
On Tue, Feb 9, 2010 at 7:46 PM, Liong Kok Foo  wrote:
> Hi,
>
> Can someone guide me on setting up reverse dns for powerdns? The docs does
> not mention about it.
>
> I have a previous bind for reverse dns as below:
>
> in named.conf file:-
> zone "96.87.222.111.in-addr.arpa." {
> type master;
> file "/var/named/96.87.222.111.in-addr.arpa.";
> allow-update { 111.222.221.50; };
> };
>
>
> in 96.87.222.111.in-addr.arpa. file:-
> $TTL 3D
> @               IN      SOA     mydomain.com. hostmaster.mydomain.com. (
>                                0909200901       ; Serial
>                                10800   ; Refresh
>                                1800    ; Retry
>                                360 ; Expire
>                                86400)  ; Minimum TTL
>                        NS      ns1.mydomain.com.
>                        NS      ns2.mydomain.com.
>
> ;
> ;       Servers
> ;
>
> 117     IN      PTR     mail.mydomain.com.sg.
>
>
> How should I setup this in powerdns?
>
> Is this even correct? Aren't reverse dns supposed to have only 3 subnets and
> then last one defined in the PTR record?
>
> Please help.
> Thanks.
>
> _______
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>



-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] where is the ns's A record

[Augie Schwer]

The TLD servers have it :

[au...@augnix ~]$ dig a twdns-04.ns.aol.com. +norecurse +short
@a.gtld-servers.net
64.12.147.120

--Augie

2009/3/24 cnsung :
> Hi all:
>
>   I wanna figure out the entire dns query process ,but I confuse that where
> is the NS's A record. For example:
> I know the domain cnn.com 's NS server is twdns-04.ns.aol.com.  , but
> where it can find the  twdns-04.ns.aol.com's A record?
>
> Thanks!
>
> 2009-03-24
> 
> Elson Chen
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>



-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] newbie pdns crashing on startup

[Augie Schwer]

You could try compiling the source from the website; also is that the
full strace?  --Augie

2009/3/18 Dave Corsello :
> I compiled it from the FreeBSD powerdns port.
>
> Augie Schwer wrote:
>
> Did you compile this yourself for FreeBSD?  --Augie
>
>
> On Tue, Mar 17, 2009 at 7:17 PM, Dave Corsello 
> wrote:
>
>
> No, user and group do exist. --Dave
>
> Augie Schwer wrote:
>
> Is it trying to setgid to "pdns" but the pdns user/group do not exist?
> --Augie
>
> 2009/3/17 Dave Corsello :
>
>
> Ask Bjørn Hansen wrote:
>
> Sometimes in situations like this it can be helpful to run strace (or your
> platforms equivalent).  On linux something like:
>
> strace -o /tmp/pdns.trace -f /usr/bin/pdns
>
> will generate list of system calls in /tmp/pdns.trace -- it might give a
> hint as to what the process gets stuck on.
>
>
>  - ask
>
>
> Thanks a lot, Ask.  I don't know what to look for in the trace output, so
> for what it's worth, here's a listing of all the calls that have a return
> code of "-1":
>
> 5386  open("/etc/libmap.conf", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> 5386  access("/lib/libstdc++.so.6", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  readlink("/etc/malloc.conf", 0xbfbfe557, 1024) = -1 ENOENT (No such
> file or directory)
> 5386  mkdir("/var/run/", 0700)  = -1 EEXIST (File exists)
> 5386  ioctl(5, TIOCGETA, 0xbfbfe578)    = -1 ENOTTY (Inappropriate ioctl for
> device)
> 5386  access("/lib/nss_compat.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_compat.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/compat/nss_compat.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/usr/local/lib/nss_compat.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/usr/local/lib/mysql/nss_compat.so.1", F_OK) = -1 ENOENT (No
> such file or directory)
> 5386  access("/lib/nss_compat.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_compat.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/lib/nss_nis.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_nis.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/compat/nss_nis.so.1", F_OK) = -1 ENOENT (No such file
> or directory)
> 5386  access("/usr/local/lib/nss_nis.so.1", F_OK) = -1 ENOENT (No such file
> or directory)
> 5386  access("/usr/local/lib/mysql/nss_nis.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/lib/nss_nis.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_nis.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/lib/nss_files.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_files.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/compat/nss_files.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/usr/local/lib/nss_files.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/usr/local/lib/mysql/nss_files.so.1", F_OK) = -1 ENOENT (No
> such file or directory)
> 5386  access("/lib/nss_files.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_files.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/lib/nss_dns.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_dns.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/compat/nss_dns.so.1", F_OK) = -1 ENOENT (No such file
> or directory)
> 5386  access("/usr/local/lib/nss_dns.so.1", F_OK) = -1 ENOENT (No such file
> or directory)
> 5386  access("/usr/local/lib/mysql/nss_dns.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/lib/nss_dns.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_dns.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  ioctl(5, TIOCGETA, 0xbfbfe578)    = -1 ENOTTY (Inappropriate ioctl for
> device)
>
> The call that seems to be interrupted mid-stream is this one:
>
> 5386  setgid(0x3eans1
>
> Thanks,
> Dave
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
>
>
>
>
>
>
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>



-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] newbie pdns crashing on startup

[Augie Schwer]

Did you compile this yourself for FreeBSD?  --Augie


On Tue, Mar 17, 2009 at 7:17 PM, Dave Corsello  wrote:
> No, user and group do exist. --Dave
>
> Augie Schwer wrote:
>
> Is it trying to setgid to "pdns" but the pdns user/group do not exist?
> --Augie
>
> 2009/3/17 Dave Corsello :
>
>
> Ask Bjørn Hansen wrote:
>
> Sometimes in situations like this it can be helpful to run strace (or your
> platforms equivalent).  On linux something like:
>
> strace -o /tmp/pdns.trace -f /usr/bin/pdns
>
> will generate list of system calls in /tmp/pdns.trace -- it might give a
> hint as to what the process gets stuck on.
>
>
>  - ask
>
>
> Thanks a lot, Ask.  I don't know what to look for in the trace output, so
> for what it's worth, here's a listing of all the calls that have a return
> code of "-1":
>
> 5386  open("/etc/libmap.conf", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> 5386  access("/lib/libstdc++.so.6", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  readlink("/etc/malloc.conf", 0xbfbfe557, 1024) = -1 ENOENT (No such
> file or directory)
> 5386  mkdir("/var/run/", 0700)  = -1 EEXIST (File exists)
> 5386  ioctl(5, TIOCGETA, 0xbfbfe578)    = -1 ENOTTY (Inappropriate ioctl for
> device)
> 5386  access("/lib/nss_compat.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_compat.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/compat/nss_compat.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/usr/local/lib/nss_compat.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/usr/local/lib/mysql/nss_compat.so.1", F_OK) = -1 ENOENT (No
> such file or directory)
> 5386  access("/lib/nss_compat.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_compat.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/lib/nss_nis.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_nis.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/compat/nss_nis.so.1", F_OK) = -1 ENOENT (No such file
> or directory)
> 5386  access("/usr/local/lib/nss_nis.so.1", F_OK) = -1 ENOENT (No such file
> or directory)
> 5386  access("/usr/local/lib/mysql/nss_nis.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/lib/nss_nis.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_nis.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/lib/nss_files.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_files.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/compat/nss_files.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/usr/local/lib/nss_files.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/usr/local/lib/mysql/nss_files.so.1", F_OK) = -1 ENOENT (No
> such file or directory)
> 5386  access("/lib/nss_files.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_files.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/lib/nss_dns.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_dns.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/compat/nss_dns.so.1", F_OK) = -1 ENOENT (No such file
> or directory)
> 5386  access("/usr/local/lib/nss_dns.so.1", F_OK) = -1 ENOENT (No such file
> or directory)
> 5386  access("/usr/local/lib/mysql/nss_dns.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/lib/nss_dns.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_dns.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  ioctl(5, TIOCGETA, 0xbfbfe578)    = -1 ENOTTY (Inappropriate ioctl for
> device)
>
> The call that seems to be interrupted mid-stream is this one:
>
> 5386  setgid(0x3eans1
>
> Thanks,
> Dave
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
>
>
>
>



-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] newbie pdns crashing on startup

[Augie Schwer]

Is it trying to setgid to "pdns" but the pdns user/group do not exist?  --Augie

2009/3/17 Dave Corsello :
> Ask Bjørn Hansen wrote:
>
> Sometimes in situations like this it can be helpful to run strace (or your
> platforms equivalent).  On linux something like:
>
> strace -o /tmp/pdns.trace -f /usr/bin/pdns
>
> will generate list of system calls in /tmp/pdns.trace -- it might give a
> hint as to what the process gets stuck on.
>
>
>  - ask
>
>
> Thanks a lot, Ask.  I don't know what to look for in the trace output, so
> for what it's worth, here's a listing of all the calls that have a return
> code of "-1":
>
> 5386  open("/etc/libmap.conf", O_RDONLY) = -1 ENOENT (No such file or
> directory)
> 5386  access("/lib/libstdc++.so.6", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  readlink("/etc/malloc.conf", 0xbfbfe557, 1024) = -1 ENOENT (No such
> file or directory)
> 5386  mkdir("/var/run/", 0700)  = -1 EEXIST (File exists)
> 5386  ioctl(5, TIOCGETA, 0xbfbfe578)    = -1 ENOTTY (Inappropriate ioctl for
> device)
> 5386  access("/lib/nss_compat.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_compat.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/compat/nss_compat.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/usr/local/lib/nss_compat.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/usr/local/lib/mysql/nss_compat.so.1", F_OK) = -1 ENOENT (No
> such file or directory)
> 5386  access("/lib/nss_compat.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_compat.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/lib/nss_nis.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_nis.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/compat/nss_nis.so.1", F_OK) = -1 ENOENT (No such file
> or directory)
> 5386  access("/usr/local/lib/nss_nis.so.1", F_OK) = -1 ENOENT (No such file
> or directory)
> 5386  access("/usr/local/lib/mysql/nss_nis.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/lib/nss_nis.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_nis.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/lib/nss_files.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_files.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/compat/nss_files.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/usr/local/lib/nss_files.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/usr/local/lib/mysql/nss_files.so.1", F_OK) = -1 ENOENT (No
> such file or directory)
> 5386  access("/lib/nss_files.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_files.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/lib/nss_dns.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_dns.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/compat/nss_dns.so.1", F_OK) = -1 ENOENT (No such file
> or directory)
> 5386  access("/usr/local/lib/nss_dns.so.1", F_OK) = -1 ENOENT (No such file
> or directory)
> 5386  access("/usr/local/lib/mysql/nss_dns.so.1", F_OK) = -1 ENOENT (No such
> file or directory)
> 5386  access("/lib/nss_dns.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  access("/usr/lib/nss_dns.so.1", F_OK) = -1 ENOENT (No such file or
> directory)
> 5386  ioctl(5, TIOCGETA, 0xbfbfe578)    = -1 ENOTTY (Inappropriate ioctl for
> device)
>
> The call that seems to be interrupted mid-stream is this one:
>
> 5386  setgid(0x3eans1
>
> Thanks,
> Dave
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>



-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Anyone working on a PHP API?

[Augie Schwer]

On Tue, Feb 10, 2009 at 10:31 PM, David Ordal  wrote:
> And I found a
> Perl API, but that doesn't do me a lot of good.

As the maintainer of the Perl API you are probably talking about
(PowerDNS::Backend::MySQL) I beg to differ; you could certainly re-use
a lot of the same logic and functionality; Perl and PHP syntax are not
that different.

If you decide to write a PHP API that you release to the public, it
might be a good idea to keep the PHP and Perl APIs in synch to some
extent since both can benefit from each other.


-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Non authoritive secondary & recursion

[Augie Schwer]

Is there IPv6 involved anywhere here? Like your client has an IPv6
link, or your server has a  record?

I've seen resolvers fail in the same way you mention when they send
their query to the  address but they don't have an IPv6 link, they
then send the request to the A record address, but the answer never
makes it back to the client because the client code didn't wait around
for an answer.

--Augie

On Fri, Feb 13, 2009 at 2:11 PM, Sean Boran  wrote:
> I'm still stuck with this problem and would really appreciate some help.
> Although pdns is answering a query correctly, the result is being
> ignored as "ecursion not available"
>
> I use nslookup as opposed to dig, because the OS is using the same
> resolver libs as nslookup (I believe) and it means that the pdns
> answers are being ignored.
>
> Doing a nolookup without specifying the server, for some reason the
> answer coming back is not believed. Sniffing shows the correct answer
> "A 193.5.227.236" coming back, but nslookup reports "Got recursion not
> available from 193.5.227.236"
>
> nslookup sisns3.vptt.ch
> ;; Got recursion not available from 193.5.227.236, trying next server
> 23:02:50.842166 IP 193.5.227.232.32860 > 193.5.227.236.53: 47807+ A?
> sisns3.vptt.ch. (32)
>0x:  4500 003c  4000 4011 f0d0 c105 e3e8  E..<@.@...
>0x0010:  c105 e3ec 805c 0035 0028 12c3 babf 0100  .\.5.(..
>0x0020:  0001    0673 6973 6e73 3304  .sisns3.
>0x0030:  7670 7474 0263 6800 0001 0001vptt.ch.
> 23:02:50.842396 IP 193.5.227.236.53 > 193.5.227.232.32860: 47807*-
> 1/0/0 A 193.5.227.236 (48)
>0x:  4500 004c  4000 4011 f0c0 c105 e3ec  e.@.@...
>0x0010:  c105 e3e8 0035 805c 0038 4a2a babf 8500  .5.\.8J*
>0x0020:  0001 0001   0673 6973 6e73 3304  .sisns3.
>0x0030:  7670 7474 0263 6800 0001 0001 c00c 0001  vptt.ch.
>0x0040:  0001 0001 5180 0004 c105 e3ecQ...
>
>
> When the server is specified, nslookup believes the answer, although
> the wire packets look identical to above:
> nslookup sisns3.vptt.ch 193.5.227.236
> Server: 193.5.227.236
> Address:193.5.227.236#53
> Name:   sisns3.vptt.ch
> Address: 193.5.227.236
>
>
> 23:02:48.092880 IP 193.5.227.232.32860 > 193.5.227.236.53: 43960+ A?
> sisns3.vptt.ch. (32)
>0x:  4500 003c  4000 4011 f0d0 c105 e3e8  E..<@.@...
>0x0010:  c105 e3ec 805c 0035 0028 21ca abb8 0100  .\.5.(!.
>0x0020:  0001    0673 6973 6e73 3304  .sisns3.
>0x0030:  7670 7474 0263 6800 0001 0001vptt.ch.
> 23:02:48.093761 IP 193.5.227.236.53 > 193.5.227.232.32860: 43960*-
> 1/0/0 A 193.5.227.236 (48)
>0x:  4500 004c  4000 4011 f0c0 c105 e3ec  e.@.@...
>0x0010:  c105 e3e8 0035 805c 0038 4a2a abb8 8500  .5.\.8J*
>0x0020:  0001 0001   0673 6973 6e73 3304  .sisns3.
>0x0030:  7670 7474 0263 6800 0001 0001 c00c 0001  vptt.ch.
>0x0040:  0001 0001 5180 0004 c105 e3ecQ...
>
> I've spend a lot of time googling, and related emails on this topic
> were not conclusive.
>
> Thanks in advance,
>
> Sean
>
>
> 2009/2/10 Sean Boran:
>> If I query the server with nslookup, relying on the fact that its the first
>> entry in resolv.conf, powerdns does not respond, probablybecause its a
>> recursive query?
>>
>> $ nslookup sisns3.vptt.ch
>> ;; Got recursion not available from 193.5.227.236, trying next server
>>
>> On the otherhand, an explicit nslookup to that powerdns answer, for the same
>> address, works fine:
>>
>>  nslookup sisns3.vptt.ch 193.5.227.236
>> Server: 193.5.227.236
>> Address:193.5.227.236#53
>> Name:   sisns3.vptt.ch
>> Address: 193.5.227.236
>>
>>
>> Thanks for any tips...
>>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>



-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Why prefer recursor answers over auth Authoritative answers?

[Augie Schwer]

I am sure allow-recursion-override is set to "no"; it may help to run
the latest code in both cases :

http://powerdns.com/en/downloads.aspx

pdns-2.9.22 and pdns-recursor-3.1.7

--Augie

On Fri, Feb 6, 2009 at 9:56 AM, David Sparks  wrote:
> Augie Schwer wrote:
>> We have many machines that have both the PowerDNS authoritative server
>> and the PowerDNS recursor; we don't have this problem. What version of
>> the auth. and recursive server are you running?  --Augie
>
> I'm running:
>
> pdns-2.9.21.2.tar.gz
> pdns-recursor-3.1.6.tar.bz2
>
> Are you sure you haven't set allow-recursion-override=yes?  Now that I know
> what to search for there are many people who have a similar problem with the
> auth server passing queries to the recursor when it should answer them itself.
>
> ds
>
>
>
>>
>> On Thu, Feb 5, 2009 at 1:22 PM, David Sparks  wrote:
>>> David Sparks wrote:
>>>> Why does PowerDNS auth server not answer queries that it is both 
>>>> authoritative
>>>> for, and has an answer for in its auth server when recursion is available 
>>>> and
>>>> requested?
>>> I've found a Debian bug report that suggests this is a long standing problem
>>> with Powerdns:
>>>
>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=357432
>>>
>>> Unfortunately that bug report is 3 years old and unanswered.
>>>
>>> Out of curiosity can someone fill me in on why Powerdns does a recursive
>>> resolve of a query and only falls back to its own auth server if the 
>>> recursive
>>> query fails?  This seems incredibly bizarre ... and has tripped up others in
>>> the past.  There seems to be a design decision here that is solving a 
>>> problem
>>> I don't know about (and the solution is causing me problems).
>>>
>>> Thanks!
>>>
>>> ds
>>>
>>>
>>>
>>>> Background:
>>>>
>>>> I have setup a PowerDNS installation to replace a BIND installation.  We 
>>>> have
>>>> run a split-horizon setup in BIND that has worked for many years.  Since
>>>> PowerDNS does not support this I intend to continue to run BIND to answer 
>>>> the
>>>> Internet queries, and PowerDNS will answer the internal for both auth and
>>>> recursive.
>>>>
>>>> PowerDNS auth server when queried for a record that it is both 
>>>> authoritative
>>>> for and exists will pass the query to the recursor if the recursion desired
>>>> flag is set (without doing any kind of lookup).  What this means is queries
>>>> that could and should be answered by PowerDNS are passed onto the Internet
>>>> auth server.  The answer from Internet auth server is from the wrong zone.
>>>>
>>>> This behavior can be worked around by setting 
>>>> "allow-recursion-override=yes"
>>>> but then delegated subdomains no longer work.  Why does the auth server 
>>>> pass
>>>> queries to the recursor instead of doing a first attempt to answer them?
>>>>
>>>>
>>>> Below is the output of 4 queries:
>>>>
>>>> A plain query to PowerDNS is wrong. (2006 SOA comes from Internet auth 
>>>> server)
>>>> A query to PowerDNS with +norec is right. (2007 SOA from PowerDNS)
>>>> PowerDNS with allow-recursion-override=yes is right. (2007 SOA from 
>>>> PowerDNS)
>>>> BIND9 is right. (2007 SOA from BIND internal view)
>>>>
>>>>
>>>> --
>>>> allow-recursion-override=no - wrong answer
>>>> ~ # dig -t soa ahost.example.com @10.0.0.12
>>>>
>>>> ; <<>> DiG 9.4.1-P1 <<>> -t soa ahost.example.com @10.0.0.12
>>>> ; (1 server found)
>>>> ;; global options:  printcmd
>>>> ;; Got answer:
>>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3198
>>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>>>
>>>> ;; QUESTION SECTION:
>>>> ;ahost.example.com. IN  SOA
>>>>
>>>> ;; AUTHORITY SECTION:
>>>> example.com.   0   IN  SOA ns1.example.com.
>>>> postmaster.example.com. 2006030201 3600 900 2419200 900
>>>>
>>>>
>>>> ---
>>>

Re: [Pdns-users] Why prefer recursor answers over auth Authoritative answers?

[Augie Schwer]

;>
>> ;; AUTHORITY SECTION:
>> example.com.   60  IN  SOA ns1.example.com.
>> hostmaster.example.com. 2007041200 60 60 60 60
>>
>> 
>> BIND9 - right answer
>> ~ # dig -t soa ahost.example.com @10.0.0.19
>>
>> ; <<>> DiG 9.4.1-P1 <<>> -t soa ahost.example.com @10.0.0.19
>> ; (1 server found)
>> ;; global options:  printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63338
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;ahost.example.com. IN  SOA
>>
>> ;; AUTHORITY SECTION:
>> example.com.   60  IN  SOA ns1.example.com.
>> postmaster.example.com. 2007041200 60 60 60 60
>>
>>
>> DNS server legend:
>>
>> allow-recursion-override=yes10.0.0.11
>> allow-recursion-override=no 10.0.0.12
>> bind9   10.0.0.19
>> ___
>> Pdns-users mailing list
>> Pdns-users@mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>
> --
> Environmental thought: print this email in triplicate!
> (ygolohcysp esrever)
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>



-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Different behaviour for wildcard-entries

[Augie Schwer]

Turn Fancy records off or try an older version; the release notes for
2.9.22 say :

"Fancy records work again. This work has been sponsored by ISP
Services. Implemented in commit 1302 and commit 1299. "

Which makes me think you found a bug in the latest release; trying the
same test and back-end data and different version or with Fancy
records turned off would give you a better idea of whether the problem
is you or the code.

Older versions can be found here :

http://svn.powerdns.com/snapshots/

--Augie

On Thu, Jan 29, 2009 at 1:47 AM, Christian Kuehn  wrote:
> Yes, fancy-records in ON and will be used (pdns failed with axfr, but
> this is another mail here)
>
> Christian
>
> Augie Schwer schrieb:
>> What does the zone look like? Do you have fancy-records turned on in
>> the pdns.conf ?
>>
>> --Augie
>>
>> On Wed, Jan 28, 2009 at 1:56 AM, Christian Kuehn  
>> wrote:
>>> Hi,
>>>
>>> I have a problem with the new pdns-2.9.22.
>>>
>>> I one domain the pdns will not detect the wildcard-entry:
>>>
>>> Jan 28 10:29:04 Received a packet 36 bytes long from 127.0.0.1
>>> Jan 28 10:29:04 DNSPacket copy constructor called!
>>> Jan 28 10:29:04 Distributor has 5 threads available
>>> Jan 28 10:29:04 Remote 127.0.0.1 wants a type MX (15) about
>>> 'hamburg.foo2.bar'
>>> Jan 28 10:29:04 UeberBackend received question for ANY of hamburg.foo2.bar'
>>> Jan 28 10:29:04 Query: 'select content,ttl,prio,type,domain_id,name from
>>> records where name='hamburg.foo2.bar'
>>> Jan 28 10:29:04 Ueber get() was called for a ANY record
>>> Jan 28 10:29:04 Found an answering backend - will not try another one
>>> Jan 28 10:29:04 Ueber get() was called for a ANY record
>>> Jan 28 10:29:04 UeberBackend reached end of backends
>>> Jan 28 10:29:04 Found matching qname, but not the qtype
>>> Jan 28 10:29:04 There is some data, but not of the correct type,
>>> checking fancy records
>>> Jan 28 10:29:04 Query: 'select content,ttl,prio,type,domain_id,name from
>>> records where type='SOA' and name='hamburg.foo2.bar'
>>> Jan 28 10:29:04 Query: 'select content,ttl,prio,type,domain_id,name from
>>> records where type='SOA' and name='foo2.bar'
>>> Jan 28 10:29:04 UeberBackend received question for MBOXFW of
>>> %...@hamburg.foo2.bar'
>>> Jan 28 10:29:04 Query: 'select content,ttl,prio,type,domain_id,name from
>>> records where type='MBOXFW' and name like '%...@hamburg.foo2.bar' and
>>> domain_id='1''
>>> Jan 28 10:29:04 Ueber get() was called for a MBOXFW record
>>> Jan 28 10:29:04 UeberBackend reached end of backends
>>> Jan 28 10:29:04 There is some data, but not of the correct type, adding
>>> SOA for NXRECORDSET
>>> Jan 28 10:29:04 Sending a packet to 127.0.0.1 (86 octets)
>>>
>>>
>>> But generally it works:
>>>
>>> Jan 28 10:24:06 Received a packet 29 bytes long from 127.0.0.1
>>> Jan 28 10:24:06 DNSPacket copy constructor called!
>>> Jan 28 10:24:06 Distributor has 5 threads available
>>> Jan 28 10:24:06 Remote 127.0.0.1 wants a type MX (15) about 'www.foo.bar'
>>> Jan 28 10:24:06 UeberBackend received question for ANY of www.foo.bar
>>> Jan 28 10:24:06 Query: 'select content,ttl,prio,type,domain_id,name from
>>> records where name='www.foo.bar''
>>> Jan 28 10:24:06 Ueber get() was called for a ANY record
>>> Jan 28 10:24:06 UeberBackend reached end of backends
>>> Jan 28 10:24:06 There is some data, but not of the correct type,
>>> checking fancy records
>>> Jan 28 10:24:06 Query: 'select content,ttl,prio,type,domain_id,name from
>>> records where type='SOA' and name='www.foo.bar''
>>> Jan 28 10:24:06 Query: 'select content,ttl,prio,type,domain_id,name from
>>> records where type='SOA' and name='foo.bar''
>>> Jan 28 10:24:06 UeberBackend received question for MBOXFW of 
>>> %...@www.foo.bar
>>> Jan 28 10:24:06 Query: 'select content,ttl,prio,type,domain_id,name from
>>> records where type='MBOXFW' and name like '%...@www.foo.bar' and
>>> domain_id='86''
>>> Jan 28 10:24:06 Ueber get() was called for a MBOXFW record
>>> Jan 28 10:24:06 UeberBackend reached end of backends
>>> Jan 28 10:24:06 UeberBackend received question for ANY of www.foo.bar
>>> Jan 28 10:24:06

Re: [Pdns-users] Handling packet flood from one client.

[Augie Schwer]

We discussed this on #powerdns a bit as it came up on the
dns-operations list; the conclusion was that dropping the request was
worse because it opened up spoofing attacks.  Thanks for the
suggestion though.  --Augie

On Tue, Jan 27, 2009 at 3:17 PM, Leen Besselink  wrote:
> On Tue, Jan 27, 2009 at 10:00:18AM -0800, Augie Schwer wrote:
>> Obviously; but that's being reactive; I was looking for something more
>> proactive.  --Augie
>>
>
> I've not tested it, but I understand the u32 option is available on 
> Debian/Linux for example:
>
> http://www.stupendous.net/archives/2009/01/24/dropping-spurious-nsin-recursive-queries/
>
> That might do what you want.
>
>> 2009/1/27 Jeroen Wunnink :
>> > Just firewall the IP ?
>> >
>> > Augie Schwer wrote:
>> >>
>> >> Does anyone have other solutions?
>> >>
>> >>
>> >>
>> >
>> > --
>> >
>> > Met vriendelijke groet,
>> >
>> > Jeroen Wunnink,
>> > EasyHosting B.V. Systeembeheerder
>> > systeembeh...@easyhosting.nl
>> >
>> > telefoon:+31 (035) 6285455  Postbus 48
>> > fax: +31 (035) 6838242  3755 ZG Eemnes
>> >
>> > http://www.easyhosting.nl
>> > http://www.easycolocate.nl
>> >
>> >
>> >
>>
>>
>>
>> --
>> Augie Schwer-au...@schwer.us-http://schwer.us
>> Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
>> _______
>> Pdns-users mailing list
>> Pdns-users@mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>



-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Different behaviour for wildcard-entries

[Augie Schwer]

hristian Kühn
> (Technical Consultant)
>
> ======
> MCS MOORBEK COMPUTER SYSTEME GmbH
> Essener Bogen 17 - 22419 Hamburg - Germany
> Tel +49 (0)40 53773 0 - Fax: +49 (0)40 53773 200
> E-Mail: christian.ku...@mcs.de
> Web: http://www.mcs.de
> Eingetragen im Handelsregister Hamburg B62933
> Geschäftsführer: Kai Brandes & Eckard Kabel
> GPG 8B52 41A1 4B8F 4DE7 9064  2073 6168 137A 3DDA 0F36
> ==
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>



-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Handling packet flood from one client.

[Augie Schwer]

Obviously; but that's being reactive; I was looking for something more
proactive.  --Augie

2009/1/27 Jeroen Wunnink :
> Just firewall the IP ?
>
> Augie Schwer wrote:
>>
>> Does anyone have other solutions?
>>
>>
>>
>
> --
>
> Met vriendelijke groet,
>
> Jeroen Wunnink,
> EasyHosting B.V. Systeembeheerder
> systeembeh...@easyhosting.nl
>
> telefoon:+31 (035) 6285455  Postbus 48
> fax: +31 (035) 6838242  3755 ZG Eemnes
>
> http://www.easyhosting.nl
> http://www.easycolocate.nl
>
>
>



-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Handling packet flood from one client.

[Augie Schwer]

Is there a way for the PowerDNS authoritative server to handle a flood
of requests from a single client?

We were getting 5k qps from a single client and were hitting
max-queue-length; does PowerDNS have a way to rate limit in such
instances?

Does anyone have other solutions?


-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] 2.9.21.1 - Return of the wild card problem

[Augie Schwer]

On Thu, Jan 22, 2009 at 4:26 PM, Marcel Pennewiß
 wrote:
> On Thursday 07 August 2008 08:14:58 bert hubert wrote:
>> On Wed, Aug 06, 2008 at 04:34:12PM -0700, Augie Schwer wrote:
>> > http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/124
>> > This seems to have cropped back up in the latest PowerDNS Auth.
>> > release (2.9.21.1). How to reproduce:
>> Please do realise 2.9.21.1 is 2.9.21, and not related to any SVN builds you
>> may be running!
>> So if the bug was in 2.9.21, it will also be in 2.9.21.1.
> Would there be a new version which fixes this issue? as i remember the ticket
> [1] is already opened.
> does an svn build fix the problem?
> [1] http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/125

Running the latest snapshot or release candidate would fix this problem :

http://svn.powerdns.com/snapshots/


-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] DDos Reflector

[Augie Schwer]

On Mon, Jan 19, 2009 at 11:41 AM, Christof Meerwald  wrote:
> Is there anything a DNS server/PowerDNS can do to avoid being used as a DDoS
> reflector, like rate-limiting SERVFAILs per IP address? What's the general
> opinion?

For this particular attack you could set "send-root-referral=no"; that
will make sure PowerDNS does not answer the "dig ns . @ns-server"
query which this attack uses.


-- 
Augie Schwer-au...@schwer.us-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS & pdns-recursor on same machine problems

[Augie Schwer]

ursor[15262]: [1165]   ns1.jbdesign.net.:
> Looking for CNAME cache hit of 'ns1.jbdesign.net.|CNAME'
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165]   ns1.jbdesign.net.: No
> CNAME cache hit of 'ns1.jbdesign.net.|CNAME' found
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165]   ns1.jbdesign.net.: No
> cache hit for 'ns1.jbdesign.net.|A', trying to find an appropriate NS record
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165]   ns1.jbdesign.net.:
> Cache consultations done, have 1 NS to contact
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165]   ns1.jbdesign.net.:
> Nameservers: 72.29.72.189:53(-1172ms)
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165]   ns1.jbdesign.net.:
> Trying to resolve NS '72.29.72.189:53' (1/1)
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165]   ns1.jbdesign.net.:
> Domain has hardcoded nameserver(s)
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165]   ns1.jbdesign.net.:
> Resolved 'jbdesign.net.' NS 72.29.72.189:53 to: 72.29.72.189
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165]   ns1.jbdesign.net.:
> Trying IP 72.29.72.189:53, asking 'ns1.jbdesign.net.|A'
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165]   ns1.jbdesign.net.:
> query throttled
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165]   ns1.jbdesign.net.:
> Failed to resolve via any of the 1 offered NS at level 'jbdesign.net.'
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165]   ns1.jbdesign.net.:
> failed (res=-1)
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165] oldbridgeinc.com.:
> Failed to get IP for NS ns1.jbdesign.net., trying next if available
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165] oldbridgeinc.com.:
> Trying to resolve NS 'ns2.jbdesign.net.' (2/2)
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165]   ns2.jbdesign.net.:
> Looking for CNAME cache hit of 'ns2.jbdesign.net.|CNAME'
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165]   ns2.jbdesign.net.: No
> CNAME cache hit of 'ns2.jbdesign.net.|CNAME' found
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165]   ns2.jbdesign.net.:
> Found cache hit for A: 12.44.213.89[ttl=86395]
> Nov 24 16:58:31 thunder pdns_recursor[15262]: [1165] oldbridgeinc.com.:
> Resolved 'oldbridgeinc.com.' NS ns2.jbdesign.net. to: 12.44.213.89
> Nov 24 16:58:32 thunder pdns_recursor[15262]: [1165] oldbridgeinc.com.:
> Trying IP 12.44.213.89:53, asking 'oldbridgeinc.com.|A'
> Nov 24 16:58:32 thunder pdns_recursor[15262]: [1165] oldbridgeinc.com.:
> query throttled
> Nov 24 16:58:32 thunder pdns_recursor[15262]: [1165] oldbridgeinc.com.:
> Failed to resolve via any of the 2 offered NS at level 'oldbridgeinc.com.'
> Nov 24 16:58:32 thunder pdns_recursor[15262]: [1165] oldbridgeinc.com.:
> Invalidating nameservers for level 'oldbridgeinc.com.', next query might
> succeed
> Nov 24 16:58:32 thunder pdns_recursor[15262]: [1165] oldbridgeinc.com.:
> failed (res=-1)
> Nov 24 16:58:32 thunder pdns_recursor[15262]: [1165] answer to question
> 'oldbridgeinc.com.|A': 0 answers, 0 additional, took 1 packets, 2 throttled,
> 0 timeouts, 0 tcp connections, rcode=2
>
> It look's like it is trying to hand the query off to
> ns1.jbdesign.net/ns2.jbdesign.net which is correct (ns2 runs on this same
> box, on a different interface).  This recursor IS able to resolve both  NS1
> and NS2 (only because I have added jbdesign.net to the forwarders= option in
> recursor.conf).  Unfortuantly, dig didn't return any useful info probably
> due to the fact that --trace made the recursor completely unresponsive, but
> here is the output after I turned --trace off:
>
> [EMAIL PROTECTED]:/etc/rc.d/init.d$ dig oldbridgeinc.com @172.15.64.11
>
> ; <<>> DiG 9.3.4-P1 <<>> oldbridgeinc.com @172.15.64.11
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54661
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;oldbridgeinc.com.  IN  A
>
> ;; ANSWER SECTION:
> oldbridgeinc.com.   86400   IN  A   72.29.72.191
>
> ;; Query time: 116 msec
> ;; SERVER: 172.15.64.11#53(172.15.64.11)
> ;; WHEN: Mon Nov 24 17:05:20 2008
> ;; MSG SIZE  rcvd: 50
>
>
> Thanks,
>
> Josh
>
>
>
> -Original Message-
> From: bert hubert [mailto:[EMAIL PROTECTED]
> Sent: Mon 11/24/2008 4:43 PM
> To: Baird, Josh
> Cc: pdns-users@mailman.powerdns.com
> Subject: Re: [Pdns-users] PDNS & pdns-recursor on same machine problems
>
> On Mon, Nov 24, 2008 at 03:36:07PM -0600, Bai

Re: [Pdns-users] Error While loading shared libraries: libpq.so.5: Cannot open shared object

[Augie Schwer]

On Sat, Nov 15, 2008 at 8:50 PM, BORIN HY/WiCAM <[EMAIL PROTECTED]> wrote:
> I just download the latest release of power dns rpm and install it on my the
> Fedora core 9.
> When I do the try to start power dns, I got the following error.
> $/etc/init.d/pdns start
> Starting PowerDNS authoritative nameserver: /usr/sbin/pdns_server: error
> while loading shared libraries: libpq.so.5: cannot open shared object file:
> No such file or directory

Do you actually want to use the PosgreSQL back-end, or is that just
the default in the distribution config.?

The docs. might help too:

http://docs.powerdns.com/


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Slaves aren't fetching zones fast enough.

[Augie Schwer]

Well PowerDNS will check for updates from masters at a regular interval.

Are your PowerDNS slaves set to 'slave'?

http://doc.powerdns.com/slave.html

--Augie

On Thu, Oct 23, 2008 at 1:59 PM, Tyler Hall <[EMAIL PROTECTED]> wrote:
> The slaves do get it, just hours/days after I send the NOTIFY.
>
>
> On Thu, Oct 23, 2008 at 1:55 PM, Augie Schwer <[EMAIL PROTECTED]>
> wrote:
>>
>> allow-axfr-ips ?
>>
>> http://doc.powerdns.com/all-settings.html
>>
>> On Fri, Oct 17, 2008 at 7:27 PM, Tyler Hall <[EMAIL PROTECTED]> wrote:
>> > I have more information about this (finally), hopefully someone is out
>> > there
>> > has this same problem.
>> >
>> > When my zones update, my master (bind) server will send a NOTIFY to my
>> > pdns
>> > server.   It receives it (I can see it in tcpdump) but according to
>> > /var/log/messages, it doesn't fetch the new zone.
>> >
>> > /var/log/messages is getting flooded with 'Domain is fresh' hundreds of
>> > times as it's checking all the zones, and it does it quite often.
>> >  So
>> > the question is, what takes priority?  I'd imagine a NOTIFY would take
>> > priority over 'serial checks' to see if a domain needs to be updated,
>> > but it
>> > doesn't.  Since it's always doing domain checks, it seems it
>> > completely
>> > ignores the NOTIFY's.
>> >
>> > I can give people access to the boxes if it would help in
>> > troubleshooting.
>> > I'm pulling out my hair here.
>> >
>> > Thanks.
>> >
>> > -thall
>> >
>> >
>> > ___
>> > Pdns-users mailing list
>> > Pdns-users@mailman.powerdns.com
>> > http://mailman.powerdns.com/mailman/listinfo/pdns-users
>> >
>> >
>>
>>
>>
>> --
>> Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
>> Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
>> ___
>> Pdns-users mailing list
>> Pdns-users@mailman.powerdns.com
>> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>



-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Slaves aren't fetching zones fast enough.

[Augie Schwer]

allow-axfr-ips ?

http://doc.powerdns.com/all-settings.html

On Fri, Oct 17, 2008 at 7:27 PM, Tyler Hall <[EMAIL PROTECTED]> wrote:
> I have more information about this (finally), hopefully someone is out there
> has this same problem.
>
> When my zones update, my master (bind) server will send a NOTIFY to my pdns
> server.   It receives it (I can see it in tcpdump) but according to
> /var/log/messages, it doesn't fetch the new zone.
>
> /var/log/messages is getting flooded with 'Domain is fresh' hundreds of
> times as it's checking all the zones, and it does it quite often.  So
> the question is, what takes priority?  I'd imagine a NOTIFY would take
> priority over 'serial checks' to see if a domain needs to be updated, but it
> doesn't.  Since it's always doing domain checks, it seems it completely
> ignores the NOTIFY's.
>
> I can give people access to the boxes if it would help in troubleshooting.
> I'm pulling out my hair here.
>
> Thanks.
>
> -thall
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>



-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Recursor use ISP dns server

[Augie Schwer]

On Mon, Aug 11, 2008 at 6:49 AM, Joris Dobbelsteen
<[EMAIL PROTECTED]> wrote:
> I have the powerdns recursor and it works perfectly. Except I would like to
> configure it to use my ISP DNS servers in addition to others.

What Operating System are you using? On Linux this would be:

/etc/reslov.conf

nameserver 127.0.0.1
nameserver 


-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] 2.9.21.1 - Return of the wild card problem

[Augie Schwer]

On Wed, Aug 6, 2008 at 11:14 PM, bert hubert <[EMAIL PROTECTED]> wrote:
> On Wed, Aug 06, 2008 at 04:34:12PM -0700, Augie Schwer wrote:
>> http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/124
>> This seems to have cropped back up in the latest PowerDNS Auth.
>> release (2.9.21.1). How to reproduce:
> Please do realise 2.9.21.1 is 2.9.21, and not related to any SVN builds you
> may be running!
> So if the bug was in 2.9.21, it will also be in 2.9.21.1.

OK, that makes sense, in that case I'll start rolling the latest
snapshot out so I can get both fixes. :)


-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] 2.9.21.1 not able to build on RHEL 3

[Augie Schwer]

On Wed, Aug 6, 2008 at 3:06 PM, Bas <[EMAIL PROTECTED]> wrote:
> When compiling 2.9.21.1 i get the following error. (2.9.21 used to build
> fine and still does.)

You could try building a static build on your RHEL 4 or 5 boxes.


-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] 2.9.21.1 - Return of the wild card problem

[Augie Schwer]

http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/124

This seems to have cropped back up in the latest PowerDNS Auth.
release (2.9.21.1). How to reproduce:

*.usenetbinaries.com. 7200 IN CNAME www.usenetbinaries.com.

[EMAIL PROTECTED] ~]$ dig +norecurse  admin.usenetbinaries.com
@a.auth-ns.sonic.net +short

www.usenetbinaries.com.

usenetbinaries.com.

[EMAIL PROTECTED] ~]$ dig +norecurse a admin.usenetbinaries.com
@a.auth-ns.sonic.net +short

208.201.228.99

If you run a cacheing name server locally and the resolver routine
asks for a  first you will cache the incorrect wild-card answer.


-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Problems with ANY query

[Augie Schwer]

Martijn,

Your concerns sound familiar and I'm pretty sure they all got covered
in the latest 2.9.21 release; check these bug reports to see if they
match what you are seeing:

http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/167
http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/125
http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/124
http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/118

--Augie

On Thu, Jul 17, 2008 at 3:28 AM, Martijn Grendelman <[EMAIL PROTECTED]> wrote:
> Hi,
>
>> First let me say 2.9.20 has many issues that are fixed in 2.9.21. In any
>> case 2.9.21 will behave differently with regards to the issue you are
>> seeing.
>
> I once upraded tot 2.9.21, but then a critical problem concerning
> wildcard cnames arised, IIRC, so we had to roll-back :-(
>
>> What is happening is that ns6.ilse.nl gets a 'recursion desired' query for
>> ilsemedia.nl. It can answer without recursion however, because the server is
>> authoritative for ilsemedia.nl. On answering, it discovers all the
>> ilsemedia.nl records do not fit in the standard 512 byte UDP packet, and it
>> sends back a truncated packet, with a flag that says 'ask over TCP'.
>
> Ah, thank you for this explanation!
>
>> Then dig retries over TCP, and then something unfortunate happens. TCP
>> recursion desired queries are always handed over directily to the configured
>> resolver ('recursor=' in the configuration), without looking at the local
>> cache. And I think your recursor then fails to transfer all those records
>> over TCP.
>
>>> If I try the ANY query with 'dig +norecurse', it works!
>>
>> That is correct. Luckily, the world at large will only ask +norecurse
>> questions. The only people that won't are the people you resolve for, so for
>> them it might be a problem.
>
> Well, as a matter of fact, I stumbled across this problem, because the
> registration of a .fr domain failed. Apparently, AFNIC does nameserver
> checks that are even worse than the ones from SIDN and it appears they
> do an ANY query that fails on these servers, so I suspect they ask with
> 'rd'.
>
>>> I just added a domain to the database, so the server is authoritative
>>> for it. The domain has not yet moved, so the 'real world' nameserver is
>>> in fact 'dns2.nettica.com'.
>>>
>>> Now if I query the server for it (from somewhere on the net, from an IP
>>> that is NOT allowed to use recursion on this server):
>>>
>>> $ dig @ns6.ilse.nl spullenbank.net any
>>
>> Odd - more or less the same thing happens, a fallback to TCP, which causes
>> the entire query to go to the recursor. Are you 100.00% sure you don't allow
>> recursion for the world? Your server positively says it is willing to
>> recurse for me.
>
> Over UDP it doesn't, as far as I can tell. If I ask it for 'xs4all.nl
> any', I get SERVFAIL. The log says: "Not authoritative for 'xs4all.nl',
> sending servfail to 213.207.104.11 (recursion was desired)".
>
> However, dig +tcp @ns6.ilse.nl xs4all.nl any gives me what I asked for.
>
>>> I get the results from dns2.nettica.com! If I do:
>>>
>>> $ dig +norecurse @ns6.ilse.nl spullenbank.net any
>>>
>>> I get the results from ns6.ilse.nl
>>
>> That is correct.
>>
>>> I hope the problem is clear. It appears that PowerDNS is recursing on
>>> ANY queries (and not on other type queries), even though the client is
>>> not allowed to recurse AND the domain in question CAN be answered
>>> locally (and only when both of these conditions are met).
>>>
>>> Is this is known issue with 2.9.20?
>>
>> You might want to try with 2.9.21, but in general, mixing auth and resolver
>> operation on 1 IP address is filled with issues like these. This is
>> partially due to the PowerDNS design, partially due to the fundamentally
>> confusing nature of mixing both modes of operation.
>
> I guess I can lose the whole recursor thing.
>
>> I see two "bugs" in the above: 1) that TCP recursion desired packets aren't
>> filtered through the local database 2) that your server appears to be
>> willing to recurse for the whole world over TCP.
>>
>> '2' might very well be solved in 2.9.21.
>
> I'll investigate if an upgrade is viable :-)
>
> Thank you for your help!!
>
> Best regards,
> Martijn.
>
>
>
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>



-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Statement on the recent DNS vulnerability & impact on PowerDNS (none)

[Augie Schwer]

Digg it here:

http://digg.com/security/Some_thoughts_on_the_recent_DNS_vulnerability

--Augie

On Wed, Jul 9, 2008 at 1:46 PM, bert hubert <[EMAIL PROTECTED]> wrote:
> Some more personal notes on this issue can be found on
> http://blog.netherlabs.nl/articles/2008/07/09/some-thoughts-on-the-recent-dns-vulnerability
>
>Bert
>
> On Wed, Jul 09, 2008 at 08:16:19PM +0200, bert hubert wrote:
>> We're being approached from various angles about PowerDNS and the recently
>> discovered DNS vulnerability (http://www.kb.cert.org/vuls/id/800113 )
>
> --
> http://www.PowerDNS.com  Open source, database driven DNS Software
> http://netherlabs.nl  Open and Closed source services
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>



-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] pdns_recursor Error dealing with control socket request: Unable to send message over control channel

[Augie Schwer]

On Wed, Jul 2, 2008 at 11:28 AM, bert hubert <[EMAIL PROTECTED]> wrote:
> On Wed, Jul 02, 2008 at 10:55:00AM -0700, Augie Schwer wrote:
>> Jul  2 10:00:40 syslog.sr.sonic.net pdns_recursor[23096]: Error
>> dealing with control socket request: Unable to send message over
>> control channel '/var/run//lsockclauJw': No such file or directory
> Do you run heaps and heaps and heaps of rec_control commands simultaneously?

It's the syslog box, so there are heaps and heaps of DNS requests.

> What OS is this box running? Do you have a script that cleans /var/run/
> periodically? Perhaps using cron at 10:00 ?

CentOS release 4.6 (Final)

Nothing cleans out /var/run/.

The box is having problems, so I am gathering evidence and trying to
put this into the "cause" class or "effect" class.


-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] pdns_recursor Error dealing with control socket request: Unable to send message over control channel

[Augie Schwer]

Anyone know why the Recursor would log something like this?

Jul  2 10:00:40 syslog.sr.sonic.net pdns_recursor[23096]: Error
dealing with control socket request: Unable to send message over
control channel '/var/run//lsockclauJw': No such file or directory

The error is transient, only occurs on one box, and I can't reproduce
it; fun huh? Does anyone have any clues as to why this would happen?

"PowerDNS Recursor 3.1.6 $Id: pdns_recursor.cc 1179 2008-04-25 09:02:49Z ahu $"


-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Patch to fix Makefile-recursor for Make 3.80

[Augie Schwer]

FYI:

I needed to apply the following before I could get the latest PowerDNS
Recursor (3.1.7) to build under CentOS 4 using Make version 3.80;
which admittedly is a version that is six years out of date.

[EMAIL PROTECTED] pdns]$ svn diff Makefile-recursor
Index: Makefile-recursor
===
--- Makefile-recursor   (revision 1228)
+++ Makefile-recursor   (working copy)
@@ -42,11 +42,13 @@
STATICFLAGS=-Wl,-Bstatic -lstdc++ $(LUALIBS) -lgcc
-Wl,-Bdynamic -static-libgcc -lm -lc
LINKCC=$(CC)
LDFLAGS += malloc.o -ldl -lm
-else ifeq ($(STATIC),full)
+else
+   ifeq ($(STATIC),full)
STATICFLAGS=-lstdc++ $(LUALIBS) -ldl -lm -static
LINKCC=$(CC)
-else
+   else
LDFLAGS += malloc.o $(LUALIBS)
+   endif
 endif



-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Cleanest way to delete unexitant domains on slave?

[Augie Schwer]

On Fri, Jun 27, 2008 at 12:17 AM, Anton - Valqk <[EMAIL PROTECTED]> wrote:
> Augie Schwer wrote:
>> On Wed, Jun 25, 2008 at 7:19 AM, Anton - Valqk <[EMAIL PROTECTED]> wrote:
>>> I'm wondering what' the cleanes way to delete unexistent (deleted)
>>> domains domains from slave powerdns that
>>> have been populated there from a supermaster server?
>> There is no automatic way; you must do this with code. Either diff
>> both data sets and deal with conflicts, or turn Supermaster off and
>> make sure when you add and delete from both the master and the slave.
> yes, I'm aware of this, dunno why you've ignored my second part of the
> email?
> That's what I'm asking - is there a way to list _all_ domain from the
> supermaster (with host, nslookup or dig?)
> or I should read directly from the database server?
> I'll then make a diff and delete missing domains from slave.

If you want to list all the domains in your MySQL PowerDNS back-end,
then you should do it with code; perhaps this code:

http://search.cpan.org/~augie/PowerDNS-Backend-MySQL-0.06/lib/PowerDNS/Backend/MySQL.pm#list_domain_names


-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Cleanest way to delete unexitant domains on slave?

[Augie Schwer]

On Wed, Jun 25, 2008 at 7:19 AM, Anton - Valqk <[EMAIL PROTECTED]> wrote:
> I'm wondering what' the cleanes way to delete unexistent (deleted)
> domains domains from slave powerdns that
> have been populated there from a supermaster server?

There is no automatic way; you must do this with code. Either diff
both data sets and deal with conflicts, or turn Supermaster off and
make sure when you add and delete from both the master and the slave.


-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Delegating whole domain

[Augie Schwer]

And you are sure that you are running a recursor on that same box
that's answering authoritatively for xxx.pl?

--Augie

On Mon, Jun 23, 2008 at 2:40 AM, Lazy <[EMAIL PROTECTED]> wrote:
> Hello,
> We have some troble delegating the wlole domain on some other
> nameserver. Delegating subdomains works flawlessly.
>
> We are using gmysql backend
>
> +---+++++-+-+
> | id| name   | master | last_check | type   | notified_serial | account |
> +---+++++-+-+
> | 10596 | xxx.pl | NULL   |   NULL | NATIVE |NULL | NULL|
> +---+++++-+-+
>
> ++---++--+--+---+--+-+
> | id | domain_id | name   | type | content  | ttl   | prio |
> change_date |
> ++---++--+--+---+--+-+
> | 280725 | 10596 | xxx.pl | NS   | ns1.yyy.pl. | 86400 | NULL |
>NULL |
> | 280726 | 10596 | xxx.pl | NS   | ns2.yyy.pl. | 86400 | NULL |
>NULL |
> ++---++--+--+---+--+-+
>
> host xxx.pl our-pdns.pl returns (SERVFAIL), but
> host -t ns xxx.pl our-pdns.pl is ok.
>
> What are we doing wrong ?
>
> Thanks for your time.
>
> --
> Michal Grzedzicki
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>



-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS 2.9.21, CNAME wild cards, host(1) and AAAA lookups

[Augie Schwer]

This sounds like #125
(http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/125) which was
marked as resolved a while back; can you confirm that this old ticket
matches the behavior you are seeing?  --Augie


On Thu, Jun 12, 2008 at 12:11 PM, Jaco Engelbrecht
<[EMAIL PROTECTED]> wrote:
> Hi,
>
> I've run into a possible bug/new feature/change of behavior with wild card
> records (which uses CNAME), host(1) and the latest version of PowerDNS
> authoritative server.
>
> Essentially, PowerDNS version 2.9.21 returns the wild card record (which has
> been setup as a CNAME, see below) when asking for an  records that do
> not exist.
>
> Previous versions of PowerDNS, including Bind 9.4 with the same zone data,
> will only return the IPv4 record, and no wild card record.
>
> PowerDNS 2.9.21:
>
> [EMAIL PROTECTED]:~$ host host.test.internal
> Using domain server:
> Name: ns2.test.internal
> Address: 172.20.194.28#53
> Aliases:
>
> host.test.internal has address 34.34.34.34 <- A record
> host.test.internal is an alias for catch.test.internal. <-  record
> host.test.internal is an alias for catch.test.internal. <- MX record
>
> The records in PowerDNS is as follows:
>
> ++---+
> | name| content| record_type |
> +++
> | *.test.internal | catch.test.internal | CNAME |
> | host.test.internal   | 34.34.34.34 | A|
> ++---+
>
> Bind 9.4.2 behaves the same as PowerDNS 2.9.20.
>
> I can understand that this behavior is technically correct, and that if I do
> not want this to happen, I should change my record_type for my wild card
> from CNAME to A instead.  I'm just not sure if this is is intended behavior
> in the latest version of PowerDNS?  I can't see this mentioned in the change
> log?
>
> Cheers,
> Jaco
>
> --
>
> Behavior for host.test.internal against PowerDNS 2.9.20
>
> [EMAIL PROTECTED]:~$ host -t  host.test.internal
> Using domain server:
> Name: 172.20.32.2
> Address: 172.20.32.2#53
> Aliases:
>
> host.test.internal has no  record
>
> [EMAIL PROTECTED]:~$ host -t A host.test.internal
> Using domain server:
> Name: 172.20.32.2#53
> Address: 172.20.32.2#53
> Aliases:
>
> host.test.internal has address 34.34.34.34
>
> --
>
> Behavior for host.test.internal against PowerDNS 2.9.21
>
> [EMAIL PROTECTED]:~$ host -t  host.test.internal
> Using domain server:
> Name: 172.20.222.35
> Address: 172.20.222.35#53
> Aliases:
>
> host.test.internal is an alias for catch.test.internal.
>
> [EMAIL PROTECTED]:~$ host -t A host.test.internal
> Using domain server:
> Name: 172.20.222.35
> Address: 172.20.222.35#53
> Aliases:
>
> host.test.internal has address 34.34.34.34
>
> _______
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>
>



--
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072



-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Bind8 migration to PowerDNS - SERVFAIL vs NOERROR ?

[Augie Schwer]

On Wed, May 28, 2008 at 3:48 PM, Jaco Engelbrecht
<[EMAIL PROTECTED]> wrote:
>  1) Has anyone done a migration like this before (bind9->pdns using
> supermaster/also-notify vs. the manual import of each zone), and is there
> anything that you'd could advise me of to watch out for, anything that could
> bite us?

PowerDNS domains do not expire like Bind domains do, so the Super
Master setup will work great for importing everything into PowerDNS
the first time, but after that domains will expire on the Bind side,
but never leave the PowerDNS side.

We did a Bind to PowerDNS migration and I found the best thing to do
was to put hooks into your existing add/remove domain management
system for adding and removing domains to/from the PowerDNS back-end
and using notifies to signal changes in the zone on the master.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Supermaster XFER problem

[Augie Schwer]

On Wed, May 21, 2008 at 7:22 AM, Kieran Barnes <[EMAIL PROTECTED]> wrote:
> Dig reports "Transfer failed".
> I'm guessing there must be some config issue on DNS1.
> How do I turn debugging on?

http://docs.powerdns.com/all-settings.html

loglevel and query-logging might help.


-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Supermaster XFER problem

[Augie Schwer]

On Wed, May 21, 2008 at 6:40 AM, Kieran Barnes <[EMAIL PROTECTED]> wrote:
> But I am getting the following errors
> May 21 14:39:23 adder pdns[28233]: 1 slave domain needs checking
> May 21 14:39:23 adder pdns[28233]: No serial for '' found - zone
> is missing?
> May 21 14:39:23 adder pdns[28233]: Unable to AXFR zone '':
> Remote nameserver unable/unwilling to AXFR with us: RCODE=5
> I can't seem to figure out what RCODE=5 means.

http://www.faqs.org/rfcs/rfc1035.html ; that's the technical
definition, which basically says what you see "action refused".

> Any suggestions?

Did you check that you can manually transfer zones?

dig -t axfr domain @dns1


-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Duplicate SOA while using dig and zone2sql

[Augie Schwer]

On Wed, Apr 23, 2008 at 2:52 PM, Mick Pollard <[EMAIL PROTECTED]> wrote:
>  To migrate from bind to pdns-mysql I plan on just adding all my domains into 
> pdns as slaves with the existing bind as master and let it do axfr's and 
> populate the db for me.
>  Then when it is complete I will just update all the zones via sql to be of 
> type 'NATIVE', shut down bind and move powerdns to port 53.
>  Can anyone see a problem with this ? It looks alot easier than the zone2sql 
> way.

In that case you may be interested in using the Supermaster feature of PowerDNS:

http://docs.powerdns.com/slave.html#SUPERMASTER


-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] about performance

[Augie Schwer]

On Thu, Mar 13, 2008 at 4:11 PM, Chet Nichols III
<[EMAIL PROTECTED]> wrote:
> hey yeah- i'd actually be interested in this info too :D i was doing some
> load testing today, and was going to continue with it tomorrow, but if
> someone has already done the work, that'd rock.

I think the best thing to do is to analyze the real world traffic you
see using the tools PowerDNS provides:

http://docs.powerdns.com/analysis.html

and Nominum's queryperf; also read this presentation:

http://www.ripe.net/ripe/meetings/ripe-44/presentations/ripe44-dns-dnscomp.pdf


-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] superslaves sharing a common mysql backend?

[Augie Schwer]

On Wed, Mar 5, 2008 at 8:46 AM, Mathew Hennessy <[EMAIL PROTECTED]> wrote:
> I was wondering if it was safe to configure multiple superslave servers
>  to point to the same slave mysql DB?  I've currently got a sqlite3 backend
>  in testing, but deleting domains from the master doesn't automatically
>  delete them from superslaves so I'd prefer to have a setup where I can
>  automate domain deletes as much as possible.

Domains do not automatically expire out of PowerDNS, so you will need
to do your own cleanup.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Forward queries for 1 domain to another server

[Augie Schwer]

http://docs.powerdns.com/built-in-recursor.html#RECURSOR-SETTINGS

forward-zones-file
forward-zones

--Augie

On Tue, Mar 4, 2008 at 10:59 PM, Hugo van der Kooij
<[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
>  Hash: SHA1
>
>  Hi,
>
>  I have gone over the manual twice and done some searches but I have not
>  seen an answer.
>
>  Is there a way to configure pdns to forward request for a certain domain
>  to another DNS server? My own domains are in mysql and I also have setup
>  a recursor on th server but I want queries for a specific domain to be
>  send to a specific server.
>
>  I found one relevant hit but it did not contain an answer:
>  http://www.nabble.com/Forwarding-Zone-in-PDNS-to10648694.html#a10648695
>
>  At least not one I could trace back to any documentation.
>
>  Hugo.
>
>
>  - --
>  [EMAIL PROTECTED]   http://hugo.vanderkooij.org/
>  PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc
>
> A: Yes.
> >Q: Are you sure?
> >>A: Because it reverses the logical flow of conversation.
> >>>Q: Why is top posting frowned upon?
>
>  Bored? Click on http://spamornot.org/ and rate those images.
>
>  -BEGIN PGP SIGNATURE-
>  Version: GnuPG v1.4.7 (GNU/Linux)
>
>  iD8DBQFHzkS1BvzDRVjxmYERAoH2AJ4/LcsKxNef7JrwQCtovP96nVI/bgCggY97
>  6788O3KVU+BaIxvz3Dt3SKI=
>  =vXY4
>  -END PGP SIGNATURE-
>  _______
>  Pdns-users mailing list
>  Pdns-users@mailman.powerdns.com
>  http://mailman.powerdns.com/mailman/listinfo/pdns-users
>



-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] External CNAME w/ auth and recursor

[Augie Schwer]

We run the latest auth. code out of SVN and the official recursor
release and I don't have any problems like you have described; you
should at least be running the latest official release of the auth.
code: 2.9.21 .  --Augie

On Tue, Mar 4, 2008 at 2:51 AM, Sebastien Luttringer
<[EMAIL PROTECTED]> wrote:
> Sebastien Luttringer wrote:
>  > Hello,
>  >
>  > With a pdns 2.9.20-8 (from debian package), i can't resolve external
>  > cname. pdns is authoritative for my domains and recursive for others. I
>  > know it's bad, but it's not my choise.
>  >
>  > After some web browsing, i don't find a conf option to allow powerdns to
>  > use its resolver to answer to external cname.
>  >
>  > I've read this :
>  > http://www.nabble.com/CNAME-answer-problem--td12085558.html which
>  > explain that everything it's ok. It's right for a authoritative server,
>  > but if we want to use pdns as a recursive and authoritative server
>  > external CNAME should be resolver in first part by pdns-server (for
>  > cname) and pdns-recursor (for cname answer). Isn't it ?
>  >
>  > This is really impossible or i do something bad ?
>  >
>  Somebody have the same behaviour with powerdns or it's only for me ?
>
>
>
>  --
>  Sebastien "Seblu" Luttringer  [EMAIL PROTECTED]
>  Smartjog SA   http://www.smartjog.com/
>
>  ___
>  Pdns-users mailing list
>  Pdns-users@mailman.powerdns.com
>  http://mailman.powerdns.com/mailman/listinfo/pdns-users
>



-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] reverse lookup zones

[Augie Schwer]

On Thu, Feb 21, 2008 at 4:36 PM, Eugene Pefti <[EMAIL PROTECTED]> wrote:
>  But that was run and obtained from forward lookup zones. Do I have to import
>  reverse lookup zones the same way or I will need to manually add PTR RR to
>  every migrated domain? We run /20 network, that's 16 class C blocks and a
>  great deal of reverse zones.

I'm not sure I understand the question. If you want the zones to show
up in PowerDNS, then yes you will have to import them.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PDNS "ALSO-NOTIFY"

[Augie Schwer]

On Thu, Feb 21, 2008 at 6:04 AM, Ale * <[EMAIL PROTECTED]> wrote:
>  I'd would like to know if in POWERDNS there's an option in "pdns.conf" that 
> looks like "also-notify" in bind9. I have to notify modifies in my zone both 
> to
>  nameservers that i specify in NS RR and to other nameservers that i would 
> specify with "also-notify" statement. Is it possible?

Check out pdns_control; it's not a config. option, but a command you
would be executing.

http://docs.powerdns.com/pdns-internals.html#PDNSCONTROL


-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Fwd: [Pdns-users] problems with superslave pdns

[Augie Schwer]

Please reply to the list.  --Augie


-- Forwarded message --
From: Anton - Valqk <[EMAIL PROTECTED]>
Date: Thu, Feb 21, 2008 at 2:36 AM
Subject: Re: [Pdns-users] problems with superslave pdns
To: Augie Schwer <[EMAIL PROTECTED]>


Hello again group,
 I've solved the problem.
 The master is running latest powerdns 2.9.21.
 The reason it won't send notify to the slave is that
 I have my own php class that manages the database,
 I didn't know the purpose ot 'Notified serial' field in the domains table,
 I supposed that it should be identical as the serial in SOA record,
 so I updated it everytime I updated the soa.
 it appeard that notified serial is _the last serial sent to the slaves_!
 so if anyone's implementing it's own SOA SERIAL MUST BE UPDATED ONLY.
 NOTIFIED SERIAL is being updated by the powerdns and shows the last
 serial sent to the slaves.
 so when mu values of SOA and notified were both the same well...
 slaves never got notified

 thanks to everyone for the help,
 hope we see the new notify protocol that will delete domains from the
 slaves.
 I'm very happy with the powerdns, keep doing good job guys! :)

 cheers,
 valqk.

Augie Schwer wrote:
 > On Wed, Feb 20, 2008 at 4:52 AM, Anton - Valqk <[EMAIL PROTECTED]> wrote:
 >
 >> The problem seems to be the master,
 >>  it never sends notify to the slave,
 >>  when I do it manually with pdns_control notify domain.com
 >>  the new domain.com gets inserted and works as expected in the slave.
 >>  this means the supermaster won't send the new domain to the slave for
 >>  some reason.
 >>
 >
 > Does it not send any notifies or just none for this domain? Is
 > PowerDNS configured as a master?
 >
 >
 >


 --


This message has been scanned for viruses and
 dangerous content by MailScanner, and is
 believed to be clean.




-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] problems with superslave pdns

[Augie Schwer]

On Wed, Feb 20, 2008 at 4:52 AM, Anton - Valqk <[EMAIL PROTECTED]> wrote:
> The problem seems to be the master,
>  it never sends notify to the slave,
>  when I do it manually with pdns_control notify domain.com
>  the new domain.com gets inserted and works as expected in the slave.
>  this means the supermaster won't send the new domain to the slave for
>  some reason.

Does it not send any notifies or just none for this domain? Is
PowerDNS configured as a master?


-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Fwd: [Pdns-users] problems with superslave pdns

[Augie Schwer]

Please try and reply to the list.  --Augie


-- Forwarded message --
From: Anton - Valqk <[EMAIL PROTECTED]>
Date: Wed, Feb 20, 2008 at 4:52 AM
Subject: Re: [Pdns-users] problems with superslave pdns
To: Augie Schwer <[EMAIL PROTECTED]>


The problem seems to be the master,
 it never sends notify to the slave,
 when I do it manually with pdns_control notify domain.com
 the new domain.com gets inserted and works as expected in the slave.
 this means the supermaster won't send the new domain to the slave for
 some reason.

 any ideas?
 I do set SOA as MMDDHH (if I the record is being update and it's
 done in the current hour +1 the HH)
 I do have NS type record for the domain...
 no clue at all why pdns is not sending the notify.
 strange thing is that when I used to run bind it complained about the
 'missing' zone when I was creating a new domain and it has not been
 added to the slave.




 Augie Schwer wrote:
 > Can you actually do a transfer from your master to your slave?
 >
 > dig -t axfr @217.75.141.6 interiorcity.net
 >
 > --Augie
 >
 > On Feb 18, 2008 8:17 AM, Anton - Valqk <[EMAIL PROTECTED]> wrote:
 >
 >> Hi there group,
 >> I've setuped a superslave pdns server that should fetch automatically
 >> the newly added domains but nohting happens.
 >>
 >> my master is 217.75.141.6 and the slave dns is ns1.hostit.bg.
 >> I have this record for supermaster:
 >> sqlite> select * from supermasters;
 >> 217.75.141.6|ns1.hostit.bg|internal
 >>
 >> I've added a new domain into the master but it never showed up in the
 >> logs or in the sqlite db.
 >> how can I debug why this happens?
 >> there is another problem,..
 >> I've inserted all the domains that were in the master pdns in the
 >> records table, when I've first started the pdns it refreshed all the
 >> domains,
 >> but after that from time to time I get:
 >> Feb 18 16:07:33 ns1 pdns[87710]: Domain interiorcity.net is fresh
 >> Feb 18 16:07:35 ns1 pdns[87710]: Error trying to retrieve/refresh
 >> 'voigt-bg.com': Timeout waiting for answer from 217.75.141.6
 >> Feb 18 16:07:35 ns1 pdns[87710]: Domain arthotel-sbh.com is fresh
 >> Feb 18 16:07:35 ns1 pdns[87710]: Domain virtualboss.org is fresh
 >> Feb 18 16:07:36 ns1 pdns[87710]: Error trying to retrieve/refresh
 >> 'radioyouth.eu': Timeout waiting for answer from 217.75.141.6
 >> Feb 18 16:07:36 ns1 pdns[87710]: Domain samsungwimax.com is fresh
 >> Feb 18 16:07:36 ns1 pdns[87710]: Domain bfc-bg.org is fresh
 >> Feb 18 16:07:36 ns1 pdns[87710]: Domain das.bg is fresh
 >> Feb 18 16:07:38 ns1 pdns[87710]: Error trying to retrieve/refresh
 >> 'satelit-s.com': Timeout waiting for answer from 217.75.141.6
 >> Feb 18 16:07:39 ns1 pdns[87710]: Error trying to retrieve/refresh
 >> 'globalestates.eu': Timeout waiting for answer from 217.75.141.6
 >> Feb 18 16:07:39 ns1 pdns[87710]: Domain profilexchange.org is fresh
 >> Feb 18 16:07:39 ns1 pdns[87710]: Domain 101dalmatinci.com is fresh
 >>
 >> I'm running powerdns-2.9.21 on both places, the os is freebsd.
 >> on the master side it's using pgsql backend on the slave it's psql
 >> because the conectivity between the machines is not so good so I can
 >> setup pgsql replication,
 >> and the second machine is  a vm with 1 purpose - slave dns.
 >>
 >> thanks in advance for the advices/ideas.
 >>
 >> cheers,
 >> valqk.
 >>
 >> --
 >> This message has been scanned for viruses and
 >> dangerous content by MailScanner, and is
 >> believed to be clean.
 >>
 >> ___
 >> Pdns-users mailing list
 >> Pdns-users@mailman.powerdns.com
 >> http://mailman.powerdns.com/mailman/listinfo/pdns-users
 >>
 >>
 >
 >
 >
 >


 --
 This message has been scanned for viruses and
 dangerous content by MailScanner, and is
 believed to be clean.




-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] problems with superslave pdns

[Augie Schwer]

Can you actually do a transfer from your master to your slave?

dig -t axfr @217.75.141.6 interiorcity.net

--Augie

On Feb 18, 2008 8:17 AM, Anton - Valqk <[EMAIL PROTECTED]> wrote:
> Hi there group,
> I've setuped a superslave pdns server that should fetch automatically
> the newly added domains but nohting happens.
>
> my master is 217.75.141.6 and the slave dns is ns1.hostit.bg.
> I have this record for supermaster:
> sqlite> select * from supermasters;
> 217.75.141.6|ns1.hostit.bg|internal
>
> I've added a new domain into the master but it never showed up in the
> logs or in the sqlite db.
> how can I debug why this happens?
> there is another problem,..
> I've inserted all the domains that were in the master pdns in the
> records table, when I've first started the pdns it refreshed all the
> domains,
> but after that from time to time I get:
> Feb 18 16:07:33 ns1 pdns[87710]: Domain interiorcity.net is fresh
> Feb 18 16:07:35 ns1 pdns[87710]: Error trying to retrieve/refresh
> 'voigt-bg.com': Timeout waiting for answer from 217.75.141.6
> Feb 18 16:07:35 ns1 pdns[87710]: Domain arthotel-sbh.com is fresh
> Feb 18 16:07:35 ns1 pdns[87710]: Domain virtualboss.org is fresh
> Feb 18 16:07:36 ns1 pdns[87710]: Error trying to retrieve/refresh
> 'radioyouth.eu': Timeout waiting for answer from 217.75.141.6
> Feb 18 16:07:36 ns1 pdns[87710]: Domain samsungwimax.com is fresh
> Feb 18 16:07:36 ns1 pdns[87710]: Domain bfc-bg.org is fresh
> Feb 18 16:07:36 ns1 pdns[87710]: Domain das.bg is fresh
> Feb 18 16:07:38 ns1 pdns[87710]: Error trying to retrieve/refresh
> 'satelit-s.com': Timeout waiting for answer from 217.75.141.6
> Feb 18 16:07:39 ns1 pdns[87710]: Error trying to retrieve/refresh
> 'globalestates.eu': Timeout waiting for answer from 217.75.141.6
> Feb 18 16:07:39 ns1 pdns[87710]: Domain profilexchange.org is fresh
> Feb 18 16:07:39 ns1 pdns[87710]: Domain 101dalmatinci.com is fresh
>
> I'm running powerdns-2.9.21 on both places, the os is freebsd.
> on the master side it's using pgsql backend on the slave it's psql
> because the conectivity between the machines is not so good so I can
> setup pgsql replication,
> and the second machine is  a vm with 1 purpose - slave dns.
>
> thanks in advance for the advices/ideas.
>
> cheers,
> valqk.
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>



-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Help with pdns slave setup.

[Augie Schwer]

Check out Super Master:

http://docs.powerdns.com/slave.html#SUPERMASTER

--Augie

On Feb 16, 2008 4:10 PM, Anton - Valqk <[EMAIL PROTECTED]> wrote:
> Hi there guys,
> I'm trying to setup a slave pdns server, that should add new domains
> sent by the master pdns
> by itself, so I don't need to add the newly added domains in the master
> by hand in the slave...
> slave and master uses different database servers, because the connection
> between them is not very fast and good.
> is there a way when I add a domain in the master pdns and it sends the
> notification of xfr to add the new domain automatically?
> the main idea is to keep the slave synced automatically form the master...
>
> can you please help me/point out article, or what to read on my problem...
>
>
> cheers,
> valqk.
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> ___
> Pdns-users mailing list
> Pdns-users@mailman.powerdns.com
> http://mailman.powerdns.com/mailman/listinfo/pdns-users
>



-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: Auth. server has poor TCP performance.

[Augie Schwer]

http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/177

Moving the recursive call outside of the lock block seems to fix this
problem; patch below, I've got this patch testing on a few servers and
so far no problems:

Index: pdns/tcpreceiver.cc
===
--- pdns/tcpreceiver.cc (revision 1141)
+++ pdns/tcpreceiver.cc (working copy)
@@ -241,6 +241,7 @@
 DLOG(L<<"TCP Connection accepted on fd "<(s_P->questionOrRecurse(packet.get(),
&shouldRecurse)); // we really need to ask the backend :-)

-   if(shouldRecurse) {
- proxyQuestion(packet);
- continue;
-   }
   }

+  if(shouldRecurse) {
+   proxyQuestion(packet);
+   continue;
+  }
+
   if(!reply)  // unable to write an answer?
break;



On Wed, Feb 13, 2008 at 12:56 PM, Augie Schwer <[EMAIL PROTECTED]> wrote:
> We have mixed use recursive servers that have both the auth. server
>  and the pdns recursive server; the auth. server sees the client query
>  first and hands it to the recursor if it doesn't have the answer; it's
>  in this exchange that we see the problem.
>
>  it seems that the TCP receiver can only handle one request at a time.
>
>  The problem we've seen is if one request takes a long time to get an
>  answer (like if the recursor takes a while to get back because the
>  remote name server is slow or doesn't answer), then the other requests
>  pile up behind it, get enough of these and the receiver stops
>  accepting requests all together.
>
>  It's like the single TCP thread locks a global semaphore and all the
>  other threads just wait for it to be done. Shouldn't the TCP threads
>  be able to handle multiple simultaneous connections?
>
>  We see this mostly with Microsoft mail servers who prefer TCP for everything.
>
>  Any thoughts?
>
>
>  --
>  Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
>  Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
>



-- 
Augie Schwer - [EMAIL PROTECTED] - http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Auth. server has poor TCP performance.

[Augie Schwer]

We have mixed use recursive servers that have both the auth. server
and the pdns recursive server; the auth. server sees the client query
first and hands it to the recursor if it doesn't have the answer; it's
in this exchange that we see the problem.

it seems that the TCP receiver can only handle one request at a time.

The problem we've seen is if one request takes a long time to get an
answer (like if the recursor takes a while to get back because the
remote name server is slow or doesn't answer), then the other requests
pile up behind it, get enough of these and the receiver stops
accepting requests all together.

It's like the single TCP thread locks a global semaphore and all the
other threads just wait for it to be done. Shouldn't the TCP threads
be able to handle multiple simultaneous connections?

We see this mostly with Microsoft mail servers who prefer TCP for everything.

Any thoughts?


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Auth. server leaks file descriptors.

[Augie Schwer]

48->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   31u IPv4  132803067  TCP
localhost.localdomain:55049->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   32u IPv4  132916988  TCP
localhost.localdomain:55107->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   33u IPv4  132932880  TCP
localhost.localdomain:55112->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   34u IPv4  132961478  TCP
localhost.localdomain:55128->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   35u IPv4  132974235  TCP
localhost.localdomain:55130->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   36u IPv4  133047868  TCP
localhost.localdomain:55164->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   37u IPv4  133067556  TCP
localhost.localdomain:55172->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   38u IPv4  133088378  TCP
localhost.localdomain:55201->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   39u IPv4  133357679  TCP
localhost.localdomain:55591->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   40u IPv4  133088620  TCP
localhost.localdomain:55202->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   41u IPv4  133137984  TCP
localhost.localdomain:55398->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   42u IPv4  133137674  TCP
localhost.localdomain:55395->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   43u IPv4  133400879  TCP
localhost.localdomain:55642->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   44u IPv4  133425088  TCP
localhost.localdomain:55662->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   45u IPv4  133428904  TCP
localhost.localdomain:55669->localhost.localdomain:5300 (CLOSE_WAIT)
pdns_serv 32624pdns   46u IPv4  133425512  TCP
localhost.localdomain:55664->localhost.localdomain:5300 (CLOSE_WAIT)

# rpm -qa | grep pdns
pdns-recursor-3.1.4-1
pdns-static-2.9.21.20070915.1092-1


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Tools to analyse DNS traffic

[Augie Schwer]

On Jan 28, 2008 2:48 PM, Eugene Pefti <[EMAIL PROTECTED]> wrote:
> Thanks a lot for coming back. Listen, every time I run configure script I
> end up with the message saying that I miss Boost packages no matter where I
> run the script (I am testing it on Linux CentOS4.5 and FreeBSD 6.2). I have
> boost package installed on both machines. And I even copied boost folder
> from /usr/include to pdns current directory and tried to tell configure
> script where the boost folder assigning CXXFLAGS to $
> CXXFLAGS=-I/pdns_folder/boost
> Where am I wrong?

Try installing the boost-devel package out of CentOS; I'm pretty sure
that worked for me in the past.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] NOTIFY FAILURE!

[Augie Schwer]

On Jan 27, 2008 4:44 AM, Ale * <[EMAIL PROTECTED]> wrote:
> I'm a newbie about PowerDNS. On a first machine (192.168.0.1) I have PowerDNS 
> act as master that use mysql(gmysql) backend and on another machine 
> (192.168.0.2)
> bind9 act as slave. So I have setup both PowerDNS and bind9 for this purpose 
> and I execute both bind9 and powerdns
> monitor. All seems work perfectly! There's an AXFR zone-transfer to the slave 
> (192.168.0.2) and the Resource Record's file was created. However, there's a 
> problem, for example, when I add a RR on master and increment the serial for 
> the slave update.

I don't think you want to update the notified_serial; I think what you
want to do is up date the serial in the SOA for the zone you want to
transfer, then use pdns_control to notify your slaves:

http://doc.powerdns.com/pdns-internals.html

That's my guess at least.

Also if you update the SOA serial your notifies will go out to the
hosts listed as NS for the zone every slave-interval.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Migration bind to pdns: no logging yet

[Augie Schwer]

On Jan 27, 2008 3:02 AM, Hugo van der Kooij <[EMAIL PROTECTED]> wrote:
> But the first thing is to get a log working so I can learn from the
> logs. So I added:
> use-logfile=yes
> loglevel=3
> logfile=/var/log/pdns.log

Try:

logging-facility=0

and add to syslog.conf

local0.none-/var/log/messages
local0.*  -/var/log/pdns.log


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] domain delete from Slave

[Augie Schwer]

On Jan 26, 2008 8:22 AM, Catalin Constantin <[EMAIL PROTECTED]> wrote:
> We could not find any way of HOW a zone is completely deleted
> "automatically" form the slave.

In my experience PowerDNS (un like Bind) does not automatically expire
zones; this topic comes up from time to time; I did a quick google for
"pdns expire" and found the thread I was in a while back:

http://mailman.powerdns.com/pipermail/pdns-users/2007-September/004774.html


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Perl CPAN PowerDNS modules released.

[Augie Schwer]

FYI.

I have released several PowerDNS modules to CPAN:

http://search.cpan.org/~augie/

PowerDNS::Backend::MySQLProvides an interface to manipulate
PowerDNS data in the MySQL Backend.
PowerDNS::Control::Client Provides an interface to control the
PowerDNS daemon.
PowerDNS::Control::ServerProvides an interface to control the
PowerDNS daemon.

The MySQL interface is based on code I have in production, but
currently is not what I have running, yet.

The Client/Server Control code I do have running in production;
although they currently only implement the features I needed to
deploy.

Feedback is welcome and very much appreciated; you can reply to this
thread, or just send me a private note.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Frontend for PowerDNS ?!

[Augie Schwer]

On Dec 19, 2007 3:18 AM, milkteeth <[EMAIL PROTECTED]> wrote:
> Does anyone knows about a reliable frontend for PowerDNS to use with PHP-5,
> MySQL-5 ?!
> I have tried a few:
> PowerAdmin: not being updated anymore
> FreshDNS: still beta
> WebDNS: not goodenough
> Tupa: also not so promising

I'm using ZoneAdmin internally :

http://sourceforge.net/projects/zoneadmin

Currently the PowerDNS Web Front-end field is playing itself out, no
clear leaders yet, but a few enthusiastic upstarts.

I think that anyone who is serious about offering DNS services to
customers is writing their own interface; which if you already have
some web developers shouldn't be that hard; hand them a decent spec.
and point them at the MySQL back-end and call it done.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: [Pdns-dev] PowerDNS MySQL API in Perl by a PowerDNS user

[Augie Schwer]

On 11/14/07, bert hubert <[EMAIL PROTECTED]> wrote:
> Hi everybody,
> PowerDNS user 'armormatic' has written a PowerDNS MySQL API in Perl which
> might be useful for other PowerDNS users.
> You can find it on http://armormatic.com/code/powerdns_mysqlapi/

Neat; any chance "'armormatic" is going to get this into CPAN? I have
quite a bit of additional functionality I could add to this from my
own PowerDNS.pm .


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS Auth. server does not set RA bit even if recursion is available.

[Augie Schwer]

The PowerDNS Auth. server does not set RA bit even if recursion is
available. Up until now this hasn't been a problem, but now it seems
that some OSs are shipping with resolver libraries that do care and
will discard replies if the RA bit is not set.

For example see the release notes from the latest Bind:
http://www.isc.org/index.pl?/sw/bind/view/?release=9.4.1-P1

"dig now warns if 'RA' is not set in the answer when 'RD' was set in
the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
is set unless a server is explicitly set."

I have a customer who sees just this on Fedora Core 7.

We run the PowerDNS Auth. server with the PowerDNS Recursor and if you
ask our name servers a recursive query they will come back with the RA
bit set, but if you ask a question that does not need recursion then
the RA bit is not set.

[EMAIL PROTECTED] ~]$ dig sonic.net | grep flags
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
[EMAIL PROTECTED] ~]$ dig powerdns.com | grep flags
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

The problem is that these newer resolver libraries expect the name
servers listed in /etc/resolv.conf to be recursive servers, so if they
ask a question they expect to see the RA bit set even if the AA bit is
set.

Also (and I hate to use this) it seems to be against the RFC to not
set the RA when recursion is available -
http://www.faqs.org/rfcs/rfc1035.html

"RA  Recursion Available - this be is set or cleared in a
response, and denotes whether recursive query support is
available in the name server."

Bert, if you've read down this far, can you comment on the above; from
the conversations I've seen with the ISC devels. they seem pretty
adamant about keeping this logic in place going forward.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Debian Packages on powerdns.com

[Augie Schwer]

On 9/25/07, bert hubert <[EMAIL PROTECTED]> wrote:
> On Tue, Sep 25, 2007 at 10:42:38PM +1000, Duane wrote:
> > By default these packages run as root, where as the debian packages drop
> > privileges by default.
> That is correct. We don't want to create new users.

Is this a different requirement then the RPMs? The RPM spec still
suggests the installer create a new user:

http://wiki.powerdns.com/cgi-bin/trac.fcgi/browser/trunk/pdns/pdns.spec#L39


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] PowerDNS does not expire domains - propagates lame delegation.

[Augie Schwer]

On 9/12/07, bert hubert <[EMAIL PROTECTED]> wrote:
> On Thu, Sep 13, 2007 at 05:55:06AM +1000, Richard McLean wrote:
> > At 12:51 PM -0700 12/9/07, Augie Schwer wrote:
> > >Alternatively Bind seems to note the non-authoritative answer from its
> > >master and add the domain into a some list (neg. cache, etc.) and not
> > >answer authoritatively for it.
> > No, I'd say it sounds like a problem too. Having this feature would be
> > a great addition (and the more "correct" behaviour) for us.
> Hehe - we had this discussion some time ago and then the conclusion was the
> exact reverse, that people did not appreciate the DNS 'feature' of expiring
> a domain in case of the master being unavailable.
> For PowerDNS, implementing this requires actual work either in terms of
> performing more SQL queries, or actually deleting a zone after a while.
> Do people really care a lot?

Well someone has to be responsible for cleaning up the lame
delegation; either the slave or the master. Frankly even though I
brought it up, I am OK with the master being responsible for doing the
clean up; the master should know who's slaving from them and be smart
enough to tell those slaves when things change.

Where this can really be a problem is in a mixed Bind and PowerDNS
environment where your internal PowerDNS recursors have some out of
date auth. data and refer clients to your Bind auth. servers that
promptly return ServFail to the client.

In this situation your clients end up going no where when requesting
legitimate domains and your auth. servers receive more bogus traffic.

For my part, once we go full PowerDNS everything will look fine, even
though the problem will still exist, so we will have to do some manual
cleanup of the lame zones, but that's really not too much work.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] PowerDNS does not expire domains - propagates lame delegation.

[Augie Schwer]

PowerDNS doesn't seem to enforce any kind of expiry of domains whose
master no longer answer authoritatively, so PowerDNS was a slave, but
should no longer be because the master it was slaving from went away,
but because it never expires the domain it continues to answer
authoritatively.

Alternatively Bind seems to note the non-authoritative answer from its
master and add the domain into a some list (neg. cache, etc.) and not
answer authoritatively for it.

Am I wrong in thinking this is a problem?


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Re: forward-zones syntax for multiple IPs

[Augie Schwer]

On 5/19/06, Augie Schwer <[EMAIL PROTECTED]> wrote:
> On 5/18/06, bert hubert <[EMAIL PROTECTED]> wrote:
> > I might add this. Add a feature ticket for it on wiki.powerdns.com (yes,
> > I'll try to delete the spam, trac does not make this easy).
> http://wiki.powerdns.com/projects/trac/ticket/81
> Done; thanks for the consideration.

Bert, any chance this will make it into SVN and a snapshot release?
There's a patch in the ticket, but I haven't tried it out yet; is
anyone running out there running it?


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] TCP transport prefers recursion over local database

[Augie Schwer]

On 9/8/07, Rafał Kupka <[EMAIL PROTECTED]> wrote:
> I've spot something strange in Powerdns behavior. It looks like query
> over TCP uses recursion even if record is in local database (ldap
> backend).
> Server version 2.9.20. There are some TCP changes in 2.6.21 changelog
> but unfortunately I cannot test it now. Maybe someone can test/confirm
> that this is fixed in 2.6.21?

Yeah, this was fixed a while ago:

http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/118

You should update to the latest stable.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] CNAME record to an external domain

[Augie Schwer]

On 9/4/07, Marko Kobal <[EMAIL PROTECTED]> wrote:
> Like I said in my original post, I have already read this 
> http://www.nabble.com/CNAME-answer-problem--t4246749.html but still

I think you have a different problem.

> dig @dns1.arctur.si www.urad.si
> returns NXDOMAIN
> while
> dig @dns1.arctur.si +norecur www.urad.si
> resolves domain as it should ...

Actually, I see +norecurse returning root referrals and +recurse
returning the CNAME, but also SERVFAIL.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Differing (incorrect) behavior in 2.9.21 for AAAA records versus 2.9.20...

[Augie Schwer]

On 8/11/07, bert hubert <[EMAIL PROTECTED]> wrote:
> On Sat, Aug 11, 2007 at 11:06:23AM -0700, Augie Schwer wrote:
> > > A fix is in svn, so I wonder if people can verify that it solves the
> > > problem.
> > > Good luck!
> > That looks like it fixes it Bert. I'll have to do some more testing on
> > Monday, but preliminary results look good. Thank you so much Bert!
> Please also (re-)test all the other corner cases you reported in the past.
> Those are most likely to be affected by this fix.

Well it certainly seems to fix the  problem (#125); the other bug
that seems related is #124:

http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/124

This still exists, but I'm not sure this is a problem, I only know it
is different then what BIND returns; mostly it probably depends on how
the resolvers handle SERVFAILs.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Differing (incorrect) behavior in 2.9.21 for AAAA records versus 2.9.20...

[Augie Schwer]

On 8/11/07, bert hubert <[EMAIL PROTECTED]> wrote:
> On Sat, Aug 11, 2007 at 09:51:24AM -0600, Michael Loftis wrote:
> > The behavior for 's clearly differs from that for A's, so one just
> > needs to see how A's are being handled and make sure 's are being
> > handled similarly.  (yes "just" heh.  I haven't looked at teh new backend
> > code at all)
> In this case, the behaviour differs for matching wildcards versus partially
> matching wildcards, where the latter is of the right qname, but the wrong
> qtype.
> A fix is in svn, so I wonder if people can verify that it solves the
> problem.
> Good luck!

That looks like it fixes it Bert. I'll have to do some more testing on
Monday, but preliminary results look good. Thank you so much Bert!


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Differing (incorrect) behavior in 2.9.21 for AAAA records versus 2.9.20...

[Augie Schwer]

On 8/11/07, Michael Loftis <[EMAIL PROTECTED]> wrote:
> In the presence of a *.domain.com CNAME, 2.9.21, when asked for a more
> specific A record responds appropriately with the A record when an A record
> exists, and NOERROR/no answer for an MX or whatever.  However, when asked
> for an  record, it will respond with the splat/*.domain.com CNAME
> instead.  An example of this is barracuda.neit.edu, ns1.modwest.com is
> running 2.9.20, and ns2.modwest.com is running 2.9.21, ns2 responds
> incorrectly directing traffic to the wrong place.
> Any idea when I can see a fix for this behavior?

I submitted a bug on this a while back:

http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/125

And have been most recently lobbying (annoyingly at this point
probably) for a fix, but demand drives change, and there isn't much
demand to fix this bug yet.

If there was a voting system for bugs, then I think some people would
vote for this bug to be fixed, but as it stands maybe the best way to
vote for a fix is to put a "me too" entry on the open ticket; that or
fix it yourself, which I think is easier said then done as most likely
the bug is in the DB backend code as it seems to be too greedy in what
it grabs.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] recursor can't refresh the . records

[Augie Schwer]

On 8/9/07, bert hubert <[EMAIL PROTECTED]> wrote:
> On Thu, Aug 09, 2007 at 10:42:30PM +0200, thomas polnik wrote:
> > > You may want to try without the firewall.
> > without iptables is perhaps a bad idea :), but I will change it to
> > iptables -I INPUT 1 -p udp --dport 53 -j ACCEPT
> > iptables -I INPUT 2 -p tcp --dport 53 -j ACCEPT
> This is wrong - you need to accept packets *coming* from port 53 for
> answers as well.
> Otherwise PowerDNS can't receive answers to the questions it is sending out!
> The trick is to rely on stateful iptables filtering.

The problem could very well be the statefulness of iptables as Kenneth
eludes to. Check /proc/net/ip_conntrack as you are most likely
exhausting the limits placed on the number of entries in the contrack
table. You'll find some good info. from the following google link:

http://www.google.com/search?q=%2Fproc%2Fnet%2Fip_conntrack+%22too+many%22

Basically you want to turn stateful packet filtering off for all those
DNS requests; something like this would work:

# iptables -t raw -L
Chain PREROUTING (policy ACCEPT)
target prot opt source   destination
NOTRACKtcp  --  anywhere anywheretcp dpt:domain
NOTRACKudp  --  anywhere anywhereudp dpt:domain
NOTRACKtcp  --  anywhere anywheretcp
spt:domain dpts:1024:65535
NOTRACKudp  --  anywhere anywhereudp
spt:domain dpts:1024:65535

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination
NOTRACKtcp  --  anywhere anywheretcp spt:domain
NOTRACKudp  --  anywhere anywhereudp spt:domain
NOTRACKtcp  --  anywhere anywheretcp dpt:domain
NOTRACKudp  --  anywhere anywhereudp dpt:domain

# iptables -L
Chain INPUT (policy DROP)
target prot opt source   destination
...
ACCEPT udp  --  anywhere anywhereudp dpt:domain
ACCEPT tcp  --  anywhere anywheretcp dpt:domain
ACCEPT tcp  --  anywhere anywheretcp
spt:domain dpts:1024:65535
ACCEPT udp  --  anywhere anywhereudp
spt:domain dpts:1024:65535

Note that you won't know which port your recursive answers will come
back to, thus the '1024:65535' rules; this is because you are not
tracking the connection anymore.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Re: CNAME/Wildcard problem - why you should care.

[Augie Schwer]

On 8/3/07, Benny Amorsen <[EMAIL PROTECTED]> wrote:
> Is there really a sane solution to this? I can see the same problem
> turning up for SRV records as well. Or MX records.

Yes, the solution is that PowerDNS should not offer wild card
information when the query domain does exist. Someone appended to the
bug I submitted saying that this was even in violation of RFC
standards. My hope here though is to convince people that this really
is a problem because as it stands now, I am in the small minority on
that.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: CNAME/Wildcard problem - why you should care.

[Augie Schwer]

Note that I do not see this problem in the 2.9.20 release, but I do
see it in the 2.9.21 release.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] CNAME/Wildcard problem - why you should care.

[Augie Schwer]

On 8/1/07, Chris Seufert <[EMAIL PROTECTED]> wrote:
> Does this problem come into play when the client who is trying to
> resolve the domain name is sitting on a IPv6 network, or does it have
> the potential to happen with any IPv6 aware resolver. (ie has IPv4
> address, but is IPv6 capable).

It happens any time a resolver makes a request for a resource record
(, CNAME, etc.) that does not exist on a query domain
(secure.example.com), and there is a wild card that points to a CNAME.

For example the resolver could ask for a CNAME of secure.example.com
and since there is no answer for that PowerDNS answers with the wild
card info. it has; which your recursor could cache and give you the
same problem.

> Just a thought, but instead of using a wildcard CNAME, perhaps you could
> use a wildcard A record, this does seem to alleviate the problem, but
> its not fixing the problem thou.

Sure that's a one off solution, but when you are talking about
thousands of domains, then it really isn't a solution.

> I see a bigger problem with a lookup
>  records our installation.
> # host -t  www.thewebdesigner.com.au fred.shopa.com.au
> www.thewebdesigner.com.au   CNAME   dsl.thewebdesigner.com.au
> dsl.thewebdesigner.com.au   CNAME   dsl.thewebdesigner.com.au
> ...
> dsl.thewebdesigner.com.au   CNAME   dsl.thewebdesigner.com.au
> dsl.thewebdesigner.com.au   CNAME   dsl.thewebdesigner.com.au
> Possible CNAME loop
> That seems to be as bad, if not worse, as the problem your describing.

That looks a bit like the other bug I submitted along these lines:

http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/124

You'll note that PowerDNS answers with a response code of ServFail but
also populates the Answer section; which is unclear to me whether
that's really OK or not. See my dig below for details:

[EMAIL PROTECTED] ~]$ dig  www.thewebdesigner.com.au
@fred.shopa.com.au +norecurse

; <<>> DiG 9.4.1 <<>>  www.thewebdesigner.com.au
@fred.shopa.com.au +norecurse
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30963
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.thewebdesigner.com.au. IN  

;; ANSWER SECTION:
www.thewebdesigner.com.au. 10800 IN CNAME   dsl.thewebdesigner.com.au.
dsl.thewebdesigner.com.au. 10800 IN CNAME   dsl.thewebdesigner.com.au.

;; AUTHORITY SECTION:
thewebdesigner.com.au.  10800   IN  SOA ns1.shopa.com.au.
hostmaster.shopa.com.au. 20275 10800 3600 604800 3600


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] CNAME/Wildcard problem - why you should care.

[Augie Schwer]

This one came to me personally, but I think it should have gone to the list.

-- Forwarded message --
From: Chris Seufert <[EMAIL PROTECTED]>
Date: Aug 1, 2007 7:12 PM
Subject: Re: [Pdns-users] CNAME/Wildcard problem - why you should care.
To: Augie Schwer <[EMAIL PROTECTED]>


Does this problem come into play when the client who is trying to
resolve the domain name is sitting on a IPv6 network, or does it have
the potential to happen with any IPv6 aware resolver. (ie has IPv4
address, but is IPv6 capable).

For pure IPv4 client <-> host, will anyone actually see this problem?
the reason i ask is, i have had no complaints from any of our cusomters.

Just a thought, but instead of using a wildcard CNAME, perhaps you could
use a wildcard A record, this does seem to alleviate the problem, but
its not fixing the problem thou. I see a bigger problem with a lookup
 records our installation.

# host -t  www.thewebdesigner.com.au fred.shopa.com.au
www.thewebdesigner.com.au   CNAME   dsl.thewebdesigner.com.au
dsl.thewebdesigner.com.au   CNAME   dsl.thewebdesigner.com.au
...
dsl.thewebdesigner.com.au   CNAME   dsl.thewebdesigner.com.au
dsl.thewebdesigner.com.au   CNAME   dsl.thewebdesigner.com.au
Possible CNAME loop

That seems to be as bad, if not worse, as the problem your describing.

-Chris

Augie Schwer wrote:
> In an effort to drum up more support for this problem I will explain
> why everyone should care about this problem getting fixed.
> (http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/125)
>
> Modern resolving libraries make both  and A requests when doing
> name lookups; Firefox for example makes a  and then an A request.
>
> PowerDNS authoritative servers return incorrect data when they
> encounter a zone with a wild card (*) pointed at a CNAME. For example
> the partial zone below would cause problems:
>
> www.example.comINA192.168.0.5
> secure.example.com INA10.0.0.5
> *.example.com   INCNAMEwww.example.com
>
> Your customers will try and surf to secure.example.com using Firefox
> and be dumbfounded when they end up at www.example.com .
>
> This happens because Firefox requests a  first, your customers'
> recursor (BIND, PowerDNS, etc.) passes the query on to the
> authoritative server for example.com (PowerDNS), the authoritative
> server replies incorrectly that secure.example.com is a CNAME for
> www.example.com , the recursor caches this information, Firefox then
> makes a request for the A record, the recursor answers out of its
> cache that secure.example.com is a CNAME for www.example.com, and
> proceeds to make requests along these lines until the customer is
> eventually given the IP address of www.example.com.
>
> You should care about this problem because the zones and name servers
> involved may not be under your control, but you will still get an
> earful from your customers. You should care because even if all the
> zones and name servers are under your control, the service you provide
> will be perceived as broken. You should care because you will end up
> spending time trouble shooting why some people can resolve domain
> names just fine while others see this broken behavior (internal
> caching servers with authoritative data vs. local/external caching
> servers without authoritative data).
>
> If you are concerned about this behavior then please make yourself
> known; because if I am the only one that thinks this is a problem then
> I certainly don't expect it to get fixed any time soon.
>
>
>



-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] CNAME/Wildcard problem - why you should care.

[Augie Schwer]

In an effort to drum up more support for this problem I will explain
why everyone should care about this problem getting fixed.
(http://wiki.powerdns.com/cgi-bin/trac.fcgi/ticket/125)

Modern resolving libraries make both  and A requests when doing
name lookups; Firefox for example makes a  and then an A request.

PowerDNS authoritative servers return incorrect data when they
encounter a zone with a wild card (*) pointed at a CNAME. For example
the partial zone below would cause problems:

www.example.comINA192.168.0.5
secure.example.com INA10.0.0.5
*.example.com   INCNAMEwww.example.com

Your customers will try and surf to secure.example.com using Firefox
and be dumbfounded when they end up at www.example.com .

This happens because Firefox requests a  first, your customers'
recursor (BIND, PowerDNS, etc.) passes the query on to the
authoritative server for example.com (PowerDNS), the authoritative
server replies incorrectly that secure.example.com is a CNAME for
www.example.com , the recursor caches this information, Firefox then
makes a request for the A record, the recursor answers out of its
cache that secure.example.com is a CNAME for www.example.com, and
proceeds to make requests along these lines until the customer is
eventually given the IP address of www.example.com.

You should care about this problem because the zones and name servers
involved may not be under your control, but you will still get an
earful from your customers. You should care because even if all the
zones and name servers are under your control, the service you provide
will be perceived as broken. You should care because you will end up
spending time trouble shooting why some people can resolve domain
names just fine while others see this broken behavior (internal
caching servers with authoritative data vs. local/external caching
servers without authoritative data).

If you are concerned about this behavior then please make yourself
known; because if I am the only one that thinks this is a problem then
I certainly don't expect it to get fixed any time soon.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] CNAME/Wildcard problem.

[Augie Schwer]

This seems to be a long standing problem with PowerDNS:

http://mailman.powerdns.com/pipermail/pdns-users/2005-September/002620.html

Simply put, if you point a wild card at a CNAME your sub domains may
not work as PowerDNS returns incorrect data.

If you ask for 'CNAME localhost.schwer.us' you will get the wild card
data even though there is an A record for it.

[EMAIL PROTECTED] ~]$ dig cname localhost.schwer.us @pdns-lab.sr.sonic.net
+norecurse +short
schwer.us.

[EMAIL PROTECTED] ~]$ dig a localhost.schwer.us @pdns-lab.sr.sonic.net
+norecurse +short
127.0.0.1

Interestingly enough, it looks like this was fixed in the tar ball
Bert references in the above email, as I tested it and it does not
exhibit the same behavior.


-- 
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Re: dnsreplay "mostly correct"?

[Augie Schwer]

On 7/22/07, bert hubert <[EMAIL PROTECTED]> wrote:

On Fri, Jul 20, 2007 at 11:40:06AM -0700, Augie Schwer wrote:
> Never mind, sorry for the spam, they are different. :)
Hehe - however, do try to use the newer 'dnsreplay' from svn, it is a lot
more precise and actually has options.


Any chance future revisions of dnsreplay will display a human readable
string? Knowing that they are different is good, knowing how they are
different is even better. :)

Or just point me in the right direction; I messed around with
getZoneRepresentation() in dnsparser and got most of the RDATA out,
but there were still some non-printable chars.


--
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] Re: dnsreplay "mostly correct"?

[Augie Schwer]

Never mind, sorry for the spam, they are different. :)

On 7/20/07, Augie Schwer <[EMAIL PROTECTED]> wrote:

I am not sure how to interpret this result from dnsreplay (out of svn):

'nwinsure.com.|#15', with id 41614 from 0.0.8.7:33321 to
209.204.159.20:53, orig rcode: 0, ours: 0, 2 vs 2, perfect: no
* original nameserver did not provide recursion for this question *
* mostly correct *
orig:
nwinsure.com.   #15 '\# 13 0014087365727665723935c035'
nwinsure.com.   #15 '\# 22
000a087365727665723934086170707269766572c015'
new:
nwinsure.com.   #15 '\# 13 000a087365727665723934c035'
nwinsure.com.   #15 '\# 22
0014087365727665723935086170707269766572c015'

They look exactly the same, so I'm not sure why dnsreplay returns
"mostly correct".

Also, dnsreplay is not replaying the entire packet capture. In a
capture of 26k queries it only replayed 2k; anyone know why that would
be?

I am going to try the dnsreplay out of the release tar ball, but was
wondering what was up with this tool.


--
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072




--
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

[Pdns-users] dnsreplay "mostly correct"?

[Augie Schwer]

I am not sure how to interpret this result from dnsreplay (out of svn):

'nwinsure.com.|#15', with id 41614 from 0.0.8.7:33321 to
209.204.159.20:53, orig rcode: 0, ours: 0, 2 vs 2, perfect: no
   * original nameserver did not provide recursion for this question *
   * mostly correct *
orig:
   nwinsure.com.   #15 '\# 13 0014087365727665723935c035'
   nwinsure.com.   #15 '\# 22
000a087365727665723934086170707269766572c015'
new:
   nwinsure.com.   #15 '\# 13 000a087365727665723934c035'
   nwinsure.com.   #15 '\# 22
0014087365727665723935086170707269766572c015'

They look exactly the same, so I'm not sure why dnsreplay returns
"mostly correct".

Also, dnsreplay is not replaying the entire packet capture. In a
capture of 26k queries it only replayed 2k; anyone know why that would
be?

I am going to try the dnsreplay out of the release tar ball, but was
wondering what was up with this tool.


--
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] migration slave powerdns to other server

[Augie Schwer]

On 7/10/07, rachid achellal <[EMAIL PROTECTED]> wrote:

We are running qmysql backend master/slave.
Could you tell me how do this?


Something like this:

http://www.schwer.us/journal/2006/12/20/mysql-replication-creating-additional-slaves/


--
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] migration slave powerdns to other server

[Augie Schwer]

On 7/9/07, rachid achellal <[EMAIL PROTECTED]> wrote:

It it possible to move a slave powerdns server to other server?


I suppose it depends on your backend; with a gmysql backend and MySQL
replication moving a slave is as easy as running tar.


--
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Failover A Record

[Augie Schwer]

On 7/5/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:

I am not sure this can be done or how.
Bascially what I want is when webserver is down
dns will failover and point requests to a offsite webserver that just says we 
are offline
I only want this to happen if the main webserver fails the request.
Is this possible, and what must I do to make it happen?
Thanks All


You want a "heart beat" solution which specifically doesn't have
anything to do with PowerDNS. You can google "heart beat" or "high
availability" or "Linux ha" for example.


--
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users

Re: [Pdns-users] Zone transfer from supermaster fails: Error resolving SOA or NS

[Augie Schwer]

On 5/3/07, Bas van Schaik <[EMAIL PROTECTED]> wrote:

Anyone? It's a really annoying problem!


If replication is not working correctly you might want to check your
SQL logs for errors.

What version of PowerDNS are you running?


--
Augie Schwer-[EMAIL PROTECTED]-http://schwer.us
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
___
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
http://mailman.powerdns.com/mailman/listinfo/pdns-users